From 813bda51224f9d9b0889ab6f91eebbbd98d2645a Mon Sep 17 00:00:00 2001
From: Justin M. Forbes <jforbes@redhat.com>
Date: Sep 19 2016 14:38:18 +0000
Subject: CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)


---

diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
new file mode 100644
index 0000000..81ed881
--- /dev/null
+++ b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
@@ -0,0 +1,41 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: 2016-09-15 13:44:56
+Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer()
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+
+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
+index 7640498..110eca9 100644
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ 	}
+ 	case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ 		unsigned char *ver_addr;
+-		int32_t user_len, cnt2end;
++		uint32_t user_len;
++		int32_t cnt2end;
+ 		uint8_t *pQbuffer, *ptmpuserbuffer;
+ 		ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ 		if (!ver_addr) {
+@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ 		}
+ 		ptmpuserbuffer = ver_addr;
+ 		user_len = pcmdmessagefld->cmdmessage.Length;
++		if (user_len > ARCMSR_API_DATA_BUFLEN) {
++			retvalue = ARCMSR_MESSAGE_FAIL;
++			kfree(ver_addr);
++			goto message_out;
++		}
+ 		memcpy(ptmpuserbuffer,
+ 			pcmdmessagefld->messagedatabuffer, user_len);
+ 		spin_lock_irqsave(&acb->wqbuffer_lock, flags);
+--
+To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/kernel.spec b/kernel.spec
index 824168c..26b71cf 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -642,6 +642,9 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch
 
+#CVE-2016-7425 rhbz 1377330 1377331
+Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2164,6 +2167,9 @@ fi
 #
 # 
 %changelog
+* Mon Sep 19 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331)
+
 * Thu Sep 15 2016 Laura Abbott <labbott@fedoraproject.org> - 4.7.4-100
 - Linux v4.7.4