Linux v4.7.10

This commit is contained in:
Laura Abbott 2016-10-26 16:07:20 -07:00
commit 0cd242c3d5
3 changed files with 5 additions and 46 deletions

View file

@ -1,41 +0,0 @@
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: 2016-09-15 13:44:56
Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer()
We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
index 7640498..110eca9 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
}
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t user_len, cnt2end;
+ uint32_t user_len;
+ int32_t cnt2end;
uint8_t *pQbuffer, *ptmpuserbuffer;
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
if (!ver_addr) {
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer,
pcmdmessagefld->messagedatabuffer, user_len);
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

View file

@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 9
%define stable_update 10
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -636,9 +636,6 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
#ongoing complaint, full discussion delayed until ksummit/plumbers
Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch
#CVE-2016-7425 rhbz 1377330 1377331
Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch
# END OF PATCH DEFINITIONS
%endif
@ -2161,6 +2158,9 @@ fi
#
#
%changelog
* Wed Oct 26 2016 Laura Abbott <labbott@redhat.com> - 4.7.10-100
- Linux v4.7.10
* Thu Oct 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.7.9-100
- Linux v4.7.9
- CVE-2016-5195 (rhbz 1384344 1387080)

View file

@ -1,3 +1,3 @@
5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz
fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz
28f6b3a4bf77710cbffbee17afcf7ae2 patch-4.7.9.xz
b9fd64120635788b6219f82392cedcb9 patch-4.7.10.xz