On Fri, Aug 05, 2016 at 01:44:10PM -0600, Dave Carroll wrote: > In aacraid's ioctl_send_fib() we do two fetches from userspace, one > the get the fib header's size and one for the fib itself. Later we use > the size field from the second fetch to further process the fib. If > for some reason the size from the second fetch is different than from > the first fix, we may encounter an out-of- bounds access in > aac_fib_send(). We also check the sender size to insure it is not > out of bounds. This was reported in > https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned > CVE- 2016-6480. > > Reported-by: Pengfei Wang <[email protected]> > Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' > Cc: [email protected] > Signed-off-by: Dave Carroll <[email protected]>
Thanks Dave, Reviewed-by: Johannes Thumshirn <[email protected]> -- Johannes Thumshirn Storage [email protected] +49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
