[stable] [to-be-updated] drivers-scsi-mpt2sas-mpt2sas_ctlc-fix-unbounded-copy_to_user.patch removed from -mm tree

[akpm]

The patch titled
     drivers/scsi/mpt2sas/mpt2sas_ctl.c: fix unbounded copy_to_user()
has been removed from the -mm tree.  Its filename was
     drivers-scsi-mpt2sas-mpt2sas_ctlc-fix-unbounded-copy_to_user.patch

This patch was dropped because an updated version will be merged

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: drivers/scsi/mpt2sas/mpt2sas_ctl.c: fix unbounded copy_to_user()
From: Andrew Morton <a...@linux-foundation.org>

In _ctl_diag_read_buffer() on line 2019, user-supplied values are
used to determine the size of a copy_to_user() as well as the offset
into the buffer to be read, with no bounds checking.  I'm not familiar
with this code, so I'm not sure what checks would be appropriate, but
letting unprivileged users read arbitrary kernel memory probably isn't
intended.

Reported-by: Dan Rosenberg <drosenb...@vsecurity.com>
Cc: Eric Moore <eric.mo...@lsi.com>
Cc: Desai Kashyap <kashyap.de...@lsi.com>
Cc: Eugene Teo <eugene...@kernel.sg>
Cc: James Bottomley <james.bottom...@hansenpartnership.com>
Cc: <sta...@kernel.org>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
---

 drivers/scsi/mpt2sas/mpt2sas_ctl.c |    3 +++
 1 file changed, 3 insertions(+)

diff -puN 
drivers/scsi/mpt2sas/mpt2sas_ctl.c~drivers-scsi-mpt2sas-mpt2sas_ctlc-fix-unbounded-copy_to_user
 drivers/scsi/mpt2sas/mpt2sas_ctl.c
--- 
a/drivers/scsi/mpt2sas/mpt2sas_ctl.c~drivers-scsi-mpt2sas-mpt2sas_ctlc-fix-unbounded-copy_to_user
+++ a/drivers/scsi/mpt2sas/mpt2sas_ctl.c
@@ -2011,6 +2011,9 @@ _ctl_diag_read_buffer(void __user *arg, 
            "offset(%d), sz(%d)\n", ioc->name, __func__,
            diag_data, karg.starting_offset, karg.bytes_to_read));
 
+       if (karg.bytes_to_read != sizeof(uarg->diagnostic_data))
+               return -EINVAL;
+
        if (copy_to_user((void __user *)uarg->diagnostic_data,
            diag_data, karg.bytes_to_read)) {
                printk(MPT2SAS_ERR_FMT "%s: Unable to write "
_

Patches currently in -mm which might be from a...@linux-foundation.org are

origin.patch
linux-next.patch
next-remove-localversion.patch
i-need-old-gcc.patch
hid-examplec-is-borked.patch
arch-alpha-kernel-systblss-remove-debug-check.patch
drivers-i2c-busses-i2c-designware-corec-needs-delayh.patch
vfs-avoid-large-kmallocs-for-the-fdtable.patch
arch-x86-include-asm-delayh-fix-udelay-and-ndelay-for-8-bit-args.patch
drivers-gpu-drm-radeon-atomc-fix-warning.patch
leds-route-kbd-leds-through-the-generic-leds-layer.patch
backlight-add-backlight-type-fix.patch
backlight-add-backlight-type-fix-fix.patch
drivers-video-backlight-adp5520_blc-check-strict_strtoul-return-value-fix.patch
drivers-message-fusion-mptsasc-fix-warning.patch
osst-wrong-index-used-in-inner-loop-checkpatch-fixes.patch
drivers-scsi-osstc-fix-warning.patch
drbd-fix-warning.patch
drivers-usb-misc-usbtestc-fix-warning.patch
mm.patch
mm-nommu-sort-mm-mmap-list-properly-fix.patch
mm-per-node-vmstat-show-proper-vmstats-fix.patch
mm-mem-hotplug-update-pcp-stat_threshold-when-memory-hotplug-occur-fix.patch
frv-duplicate-output_buffer-of-e03-checkpatch-fixes.patch
hpet-factor-timer-allocate-from-open.patch
arch-alpha-include-asm-ioh-s-extern-inline-static-inline.patch
init-calibratec-fix-for-critical-bogomips-intermittent-calculation-failure-checkpatch-fixes.patch
init-calibratec-fix-for-critical-bogomips-intermittent-calculation-failure-fix.patch
lru_cache-use-correct-type-in-sizeof-for-allocation-fix.patch
lib-genpoolc-document-return-values-fix-gen_pool_add_virt-return-value.patch
percpu_counter-change-return-value-and-add-comments-fix.patch
lib-hexdumpc-make-hex2bin-return-the-updated-src-address.patch
fs-binfmt_miscc-use-kernels-hex_to_bin-method-fix.patch
fs-binfmt_miscc-use-kernels-hex_to_bin-method-fix-fix.patch
fs-ncpfs-inodec-suppress-used-uninitialised-warning.patch
drivers-tty-vt-vt_ioctlc-repair-insane-expression.patch
drivers-rtc-rtc-mrstc-use-release_mem_region-after-request_mem_region-fix.patch
rtc-driver-for-pt7c4338-chip-checkpatch-fixes.patch
rtc-driver-for-pt7c4338-chip-fix.patch
documentation-accounting-getdelaysc-handle-sendto-failures.patch
mm-move-enum-vm_event_item-into-a-standalone-header-file.patch
add-the-pagefault-count-into-memcg-stats-fix.patch
cpusets-randomize-node-rotor-used-in-cpuset_mem_spread_node.patch
dev-kmsg-properly-support-writev-to-avoid-interleaved-printk-lines-fix.patch
fs-partitions-efic-corrupted-guid-partition-tables-can-cause-kernel-oops-fix.patch
scatterlist-new-helper-functions.patch
scatterlist-new-helper-functions-update-fix.patch
kexec-remove-kmsg_dump_kexec-fix.patch
journal_add_journal_head-debug.patch
mutex-subsystem-synchro-test-module-fix.patch
slab-leaks3-default-y.patch
put_bh-debug.patch
memblock-add-input-size-checking-to-memblock_find_region.patch
memblock-add-input-size-checking-to-memblock_find_region-fix.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable