Linux v4.7.10
This commit is contained in:
parent
321d4e224b
commit
0cd242c3d5
3 changed files with 5 additions and 46 deletions
|
|
@ -1,41 +0,0 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: 2016-09-15 13:44:56
|
||||
Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer()
|
||||
|
||||
We need to put an upper bound on "user_len" so the memcpy() doesn't
|
||||
overflow.
|
||||
|
||||
Reported-by: Marco Grassi <marco.gra@gmail.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
|
||||
|
||||
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
index 7640498..110eca9 100644
|
||||
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
|
||||
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
|
||||
unsigned char *ver_addr;
|
||||
- int32_t user_len, cnt2end;
|
||||
+ uint32_t user_len;
|
||||
+ int32_t cnt2end;
|
||||
uint8_t *pQbuffer, *ptmpuserbuffer;
|
||||
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
|
||||
if (!ver_addr) {
|
||||
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
|
||||
}
|
||||
ptmpuserbuffer = ver_addr;
|
||||
user_len = pcmdmessagefld->cmdmessage.Length;
|
||||
+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
|
||||
+ retvalue = ARCMSR_MESSAGE_FAIL;
|
||||
+ kfree(ver_addr);
|
||||
+ goto message_out;
|
||||
+ }
|
||||
memcpy(ptmpuserbuffer,
|
||||
pcmdmessagefld->messagedatabuffer, user_len);
|
||||
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -636,9 +636,6 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
|
|||
#ongoing complaint, full discussion delayed until ksummit/plumbers
|
||||
Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch
|
||||
|
||||
#CVE-2016-7425 rhbz 1377330 1377331
|
||||
Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2161,6 +2158,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Oct 26 2016 Laura Abbott <labbott@redhat.com> - 4.7.10-100
|
||||
- Linux v4.7.10
|
||||
|
||||
* Thu Oct 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.7.9-100
|
||||
- Linux v4.7.9
|
||||
- CVE-2016-5195 (rhbz 1384344 1387080)
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,3 +1,3 @@
|
|||
5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz
|
||||
fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz
|
||||
28f6b3a4bf77710cbffbee17afcf7ae2 patch-4.7.9.xz
|
||||
b9fd64120635788b6219f82392cedcb9 patch-4.7.10.xz
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue