On Thu, Aug 04, 2016 at 04:38:30PM +0000, David Carroll wrote:
> > -----Original Message-----
> > From: [email protected] [mailto:linux-scsi-
> > [email protected]] On Behalf Of Johannes Thumshirn
> > Sent: Thursday, August 04, 2016 2:36 AM
> > To: Martin K . Petersen; James Bottomley
> > Cc: Linux SCSI Mailinglist; Pengfei Wang; Johannes Thumshirn;
> > [email protected]
> > Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip
> > header sizes
> >
> > EXTERNAL EMAIL
> >
> >
> > In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get
> > the
> > fib header's size and one for the fib itself. Later we use the size field
> > from the
> > second fetch to further process the fib. If for some reason the size from
> > the
> > second fetch is different than from the first fix, we may encounter an
> > out-of-
> > bounds access in aac_fib_send(). This was reported in
> > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-
> > 2016-6480.
> >
> > Reported-by: Pengfei Wang <[email protected]>
> > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
> > Cc: [email protected]
> > Signed-off-by: Johannes Thumshirn <[email protected]>
> > ---
> > drivers/scsi/aacraid/commctrl.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/scsi/aacraid/commctrl.c
> > b/drivers/scsi/aacraid/commctrl.c
> > index 4b3bb52..2d4acd1 100644
> > --- a/drivers/scsi/aacraid/commctrl.c
> > +++ b/drivers/scsi/aacraid/commctrl.c
> > @@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void
> > __user *arg)
> > goto cleanup;
> > }
> >
> > + if (size != le16_to_cpu(kfib->header.Size)
> > + + sizeof(struct aac_fibhdr)) {
> > + retval = -EINVAL;
> > + goto cleanup;
> > + }
> > +
> > if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
> > aac_adapter_interrupt(dev);
> > /*
> > --
> > 1.8.5.6
> >
>
> NAK, size is the MAX((header.size+hdr), sender_size). I will send a patch
> tomorrow which will insure that neither of those values is larger than size
> on the second fetch.
>
> Thanks, -Dave
OK, not sure if I understood you correctly, did you mean something like that:
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index b381b37..a671b54 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -118,6 +118,10 @@ static int ioctl_send_fib(struct aac_dev * dev, void
__user *arg)
goto cleanup;
}
+ size = max((le16_to_cpu(kfib->header.Size)
+ + sizeof(struct aac_fibhdr)),
+ le16_to_cpu(kfib->header.SenderSize));
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*
@@ -127,7 +131,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user
*arg)
kfib->header.XferState = 0;
} else {
retval = aac_fib_send(le16_to_cpu(kfib->header.Command), fibptr,
- le16_to_cpu(kfib->header.Size) , FsaNormal,
+ size , FsaNormal,
1, 1, NULL, NULL);
if (retval) {
goto cleanup;
--
Johannes Thumshirn Storage
[email protected] +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
