|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Bugzilla: 1033593
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Upstream-status: 3.13
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Date: Thu, 31 Oct 2013 14:01:02 +0530
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Subject: [PATCH] aacraid: prevent invalid pointer dereference
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
It appears that driver runs into a problem here if fibsize is too small
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
because we allocate user_srbcmd with fibsize size only but later we
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
access it until user_srbcmd->sg.count to copy it over to srbcmd.
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
structure already includes one sg element and this is not needed for
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
commands without data. So, we would recommend to add the following
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
(instead of test for fibsize == 0).
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Reported-by: Nico Golde <nico@ngolde.de>
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
---
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
drivers/scsi/aacraid/commctrl.c | 3 ++-
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
index d85ac1a..fbcd48d 100644
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
--- a/drivers/scsi/aacraid/commctrl.c
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
+++ b/drivers/scsi/aacraid/commctrl.c
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
goto cleanup;
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
}
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
rcode = -EINVAL;
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
goto cleanup;
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
}
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
--
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
1.8.3.1
|
|
![](https://seccdn.libravatar.org/avatar/2b3dd3a56b56c16f6e54c1904578f5f0100d27020cdfbf6479a4e47482e712c0?s=16&d=retro) |
457c715 |
|