Skip to content

Commit fa00c43

Browse files
Dave Carrollmartinkpetersen
Dave Carroll
authored and
martinkpetersen
committed
aacraid: Check size values after double-fetch from user
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of- bounds access in aac_fib_send(). We also check the sender size to insure it is not out of bounds. This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: 7c00ffa '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: stable@vger.kernel.org Signed-off-by: Dave Carroll <david.carroll@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent ea0a95d commit fa00c43

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

drivers/scsi/aacraid/commctrl.c

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
6363
struct fib *fibptr;
6464
struct hw_fib * hw_fib = (struct hw_fib *)0;
6565
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
66-
unsigned size;
66+
unsigned int size, osize;
6767
int retval;
6868

6969
if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
8787
* will not overrun the buffer when we copy the memory. Return
8888
* an error if we would.
8989
*/
90-
size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
90+
osize = size = le16_to_cpu(kfib->header.Size) +
91+
sizeof(struct aac_fibhdr);
9192
if (size < le16_to_cpu(kfib->header.SenderSize))
9293
size = le16_to_cpu(kfib->header.SenderSize);
9394
if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
118119
goto cleanup;
119120
}
120121

122+
/* Sanity check the second copy */
123+
if ((osize != le16_to_cpu(kfib->header.Size) +
124+
sizeof(struct aac_fibhdr))
125+
|| (size < le16_to_cpu(kfib->header.SenderSize))) {
126+
retval = -EINVAL;
127+
goto cleanup;
128+
}
129+
121130
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
122131
aac_adapter_interrupt(dev);
123132
/*

0 commit comments

Comments
 (0)