Home Home > GIT Browse > stable-xen
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Mahoney <jeffm@suse.com>2017-08-31 10:15:20 -0400
committerJeff Mahoney <jeffm@suse.com>2017-08-31 10:15:20 -0400
commit896eb7ce9c83f70e818bf3efa7d9eb39c4488fa2 (patch)
tree2a1634fce66fcb2e246fca7ed542d454065b9d85
parent3ce18e90c5cee96756125dad94a3573e929f696e (diff)
parentaacb454f1fceb4a3798d1642397fd13ced053b63 (diff)
Merge remote-tracking branch 'origin/users/jthumshirn/master/for-next'
-rw-r--r--patches.drivers/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch66
-rw-r--r--series.conf2
2 files changed, 68 insertions, 0 deletions
diff --git a/patches.drivers/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/patches.drivers/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
new file mode 100644
index 0000000000..8ad35bc90c
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
@@ -0,0 +1,66 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Aug 2017 16:30:35 +0300
+Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git
+Git-commit: e6f77540c067b48dee10f1e33678415bfcc89017
+References: bsc#1056588, CVE-2017-14051
+
+The value of "size" comes from the user. When we add "start + size" it
+could lead to an integer overflow bug.
+
+It means we vmalloc() a lot more memory than we had intended. I believe
+that on 64 bit systems vmalloc() can succeed even if we ask it to
+allocate huge 4GB buffers. So we would get memory corruption and likely
+a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
+
+Only root can trigger this bug.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+
+Cc: <stable@vger.kernel.org>
+Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
+Reported-by: shqking <shqking@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 08a1feb3a195..8c6ff1682fb1 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ return -EINVAL;
+ if (start > ha->optrom_size)
+ return -EINVAL;
++ if (size > ha->optrom_size - start)
++ size = ha->optrom_size - start;
+
+ mutex_lock(&ha->optrom_mutex);
+ switch (val) {
+@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size > ha->optrom_size ?
+- ha->optrom_size - start : size;
++ ha->optrom_region_size = start + size;
+
+ ha->optrom_state = QLA_SREADING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size > ha->optrom_size ?
+- ha->optrom_size - start : size;
++ ha->optrom_region_size = start + size;
+
+ ha->optrom_state = QLA_SWRITING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 2556c0f5bb..3182082098 100644
--- a/series.conf
+++ b/series.conf
@@ -306,6 +306,8 @@
# bnc#362850
patches.fixes/sd_liberal_28_sense_invalid.diff
+ # CVE-2017-14051
+ patches.drivers/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
########################################################
# DRM/Video