In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of-bounds access in aac_fib_send(). This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480.
Reported-by: Pengfei Wang <[email protected]> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: [email protected] Signed-off-by: Johannes Thumshirn <[email protected]> --- drivers/scsi/aacraid/commctrl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index 4b3bb52..2d4acd1 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) goto cleanup; } + if (size != le16_to_cpu(kfib->header.Size) + + sizeof(struct aac_fibhdr)) { + retval = -EINVAL; + goto cleanup; + } + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { aac_adapter_interrupt(dev); /* -- 1.8.5.6 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
