diff options
author | Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> | 2013-10-31 14:01:02 +0530 |
---|---|---|
committer | Stefan Bader <stefan.bader@canonical.com> | 2014-05-20 16:35:11 +0200 |
commit | f549ee9d963abe5b30e7b05b8dcc47c57ebd5f28 (patch) | |
tree | 4ee57d704414f2e639f410270a8f976ee2254e6a | |
parent | 4281b39e6e7541b66169b607375ed83bd0065275 (diff) | |
download | linux-2.6.32.y-drm33.z-f549ee9d963abe5b30e7b05b8dcc47c57ebd5f28.tar.gz |
aacraid: prevent invalid pointer dereference
It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd->sg.count to copy it over to srbcmd.
It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data. So, we would recommend to add the following
(instead of test for fibsize == 0).
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit b4789b8e6be3151a955ade74872822f30e8cd914)
CVE-2013-6380
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-rw-r--r-- | drivers/scsi/aacraid/commctrl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index a5b8e7b927019e..c8951747c9c900 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -507,7 +507,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) goto cleanup; } - if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { + if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || + (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { rcode = -EINVAL; goto cleanup; } |