From 593f0eedef3c15016e4c926b1d253d9c05f16bd3 Mon Sep 17 00:00:00 2001
From: Justin M. Forbes <jforbes@redhat.com>
Date: Aug 23 2016 13:57:16 +0000
Subject: CVE-2016-6480 aacraid: Check size values after double-fetch from user


---

diff --git a/aacraid-Check-size-values-after-double-fetch-from-us.patch b/aacraid-Check-size-values-after-double-fetch-from-us.patch
new file mode 100644
index 0000000..6ff7711
--- /dev/null
+++ b/aacraid-Check-size-values-after-double-fetch-from-us.patch
@@ -0,0 +1,65 @@
+From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: [PATCH] aacraid: Check size values after double-fetch from user
+
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index b381b37..5648b71 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+ 	struct fib *fibptr;
+ 	struct hw_fib * hw_fib = (struct hw_fib *)0;
+ 	dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+-	unsigned size;
++	unsigned int size, osize;
+ 	int retval;
+
+ 	if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+ 	 *	will not overrun the buffer when we copy the memory. Return
+ 	 *	an error if we would.
+ 	 */
+-	size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
++	osize = size = le16_to_cpu(kfib->header.Size) +
++		sizeof(struct aac_fibhdr);
+ 	if (size < le16_to_cpu(kfib->header.SenderSize))
+ 		size = le16_to_cpu(kfib->header.SenderSize);
+ 	if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
+ 		goto cleanup;
+ 	}
+
++	/* Sanity check the second copy */
++	if ((osize != le16_to_cpu(kfib->header.Size) +
++		sizeof(struct aac_fibhdr))
++		|| (size < le16_to_cpu(kfib->header.SenderSize))) {
++		retval = -EINVAL;
++		goto cleanup;
++	}
++
+ 	if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+ 		aac_adapter_interrupt(dev);
+ 		/*
+-- 
+2.7.4
+
diff --git a/kernel.spec b/kernel.spec
index 9788f61..350bbde 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -629,6 +629,9 @@ Patch838: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
 #rhbz 1353558
 Patch844: 0001-selinux-Only-apply-bounds-checking-to-source-types.patch
 
+#CVE-2016-6480 rhbz 1362466 1362467
+Patch855: aacraid-Check-size-values-after-double-fetch-from-us.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2154,6 +2157,9 @@ fi
 #
 # 
 %changelog
+* Tue Aug 23 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-6480 aacraid: Check size values after double-fetch from user (rhbz 1362466 1362467)
+
 * Mon Aug 22 2016 Laura Abbott <labbott@redhat.com> - 4.7.2-200
 - Linux v4.7.2