diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch new file mode 100644 index 0000000..f5517ab --- /dev/null +++ b/aacraid-prevent-invalid-pointer-dereference.patch @@ -0,0 +1,42 @@ +Bugzilla: 1033593 +Upstream-status: 3.13 + +From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 +From: Mahesh Rajashekhara +Date: Thu, 31 Oct 2013 14:01:02 +0530 +Subject: [PATCH] aacraid: prevent invalid pointer dereference + +It appears that driver runs into a problem here if fibsize is too small +because we allocate user_srbcmd with fibsize size only but later we +access it until user_srbcmd->sg.count to copy it over to srbcmd. + +It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this +structure already includes one sg element and this is not needed for +commands without data. So, we would recommend to add the following +(instead of test for fibsize == 0). + +Signed-off-by: Mahesh Rajashekhara +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Linus Torvalds +--- + drivers/scsi/aacraid/commctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c +index d85ac1a..fbcd48d 100644 +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) + goto cleanup; + } + +- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { ++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || ++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { + rcode = -EINVAL; + goto cleanup; + } +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index f3d7269..80cc73c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -824,6 +824,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6378 rhbz 1033578 1034183 Patch25155: libertas-potential-oops-in-debugfs.patch +#CVE-2013-6380 rhbz 1033593 1034304 +Patch25156: aacraid-prevent-invalid-pointer-dereference.patch + # END OF PATCH DEFINITIONS %endif @@ -1606,6 +1609,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6378 rhbz 1033578 1034183 ApplyPatch libertas-potential-oops-in-debugfs.patch +#CVE-2013-6380 rhbz 1033593 1034304 +ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch + # END OF PATCH APPLICATIONS %endif @@ -2409,6 +2415,7 @@ fi # || || %changelog * Mon Nov 25 2013 Josh Boyer +- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304) - CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) * Fri Nov 22 2013 Josh Boyer