aacraid: Check size values after double-fetch from user - xavi/android_kernel_m2note - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Dave Carroll <david.carroll@microsemi.com>	2016-08-05 13:44:10 -0600
committer	Moyster <oysterized@gmail.com>	2016-11-07 13:44:34 +0100
commit	6f1d1c67cf05bd2d58e6c65b69e0f8a63959bac0 (patch)
tree	3e51c10563faca30f5e0a3645838463c3c0c29f5 /tools/perf/scripts/python
parent	811a54dd630be98a891aafd66801ec9ba40b030c (diff)
download	android_kernel_m2note-6f1d1c67cf05bd2d58e6c65b69e0f8a63959bac0.tar.gz

aacraid: Check size values after double-fetch from user

commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream. In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of- bounds access in aac_fib_send(). We also check the sender size to insure it is not out of bounds. This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: stable@vger.kernel.org Signed-off-by: Dave Carroll <david.carroll@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Willy Tarreau <w@1wt.eu>

Diffstat (limited to 'tools/perf/scripts/python')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: