> -----Original Message-----
> From: linux-scsi-ow...@vger.kernel.org [mailto:linux-scsi-
> ow...@vger.kernel.org] On Behalf Of Pengfei Wang
> Sent: Thursday, July 07, 2016 7:00 AM
> To: linux-scsi@vger.kernel.org
> Subject: Re: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c
> Hi,
>
> Will anyone bother to confirm and fix this problem I reported last time? From
> the point of view of security, I think it should be fixed.
> I have discovered several cases of the same kind and all have been fixed by
> the maintainers. Thanks!
>
> Pengfei
>
Hi Pengfei,
I'm currently working on a patch set for the HBA-1000 card, and I agree with
your assessment. We will check the sizes and return an error if the size is
larger than when first checked;
i.e.
if (copy_from_user(kfib, arg, size)) {
retval = -EFAULT;
goto cleanup;
}
if (unlikely((le16_to_cpu(kfib->header.Size) + sizeof(struct
aac_fibhdr)) > size)) {
retval = -EINVAL;
goto cleanup;
}
Thanks, -Dave
