From patchwork Wed Jan 10 09:48:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 858154 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zGkk36Rv2z9s8J; Wed, 10 Jan 2018 20:49:15 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eZD0R-0004ab-LZ; Wed, 10 Jan 2018 09:49:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eZD0Q-0004Zy-30 for kernel-team@lists.ubuntu.com; Wed, 10 Jan 2018 09:49:10 +0000 Received: from mail-pl0-f69.google.com ([209.85.160.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eZD0P-0005gI-Nm for kernel-team@lists.ubuntu.com; Wed, 10 Jan 2018 09:49:09 +0000 Received: by mail-pl0-f69.google.com with SMTP id m39so7733459plg.19 for ; Wed, 10 Jan 2018 01:49:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=bUm/Js15k113KG9W3Y8FODR/5WBXSCDae/NR/s/YAMk=; b=sedAKDGrcUgbOG7lh4dO8l70IFVvfgsE+KJe3nu3m9L9prqhHE2/7tOdqJiRzpaSjU mRbWlJ+5ylDh3DvAjwaX8hYuNY4ZksrphesIu+4rCJp8OCKk98juE9e2eEsMa0NaCcUW EPOhJi7R0m672Kj+GysO0aoyUsymggzwpprFd3O8uNbyQ3020WrR8rDAxGNKPirAf4hm W+JUl3OnjW7LDM/nQqBOo9/R/JWj+N9Ouo0zWXmx0vOVRjKIlFkl2eskg05++hpkpV2Q 5kCHcaMxFTOJYeiWE8MZ3dtmtAe4rLTaxAr0LCqmW/QNLDe9NbuViWKcQ5GsZguTyEty EJAA== X-Gm-Message-State: AKwxytfQoRNrMn8jGx3ecT8NfJHL9j1c0subAZrbYegNfen9mugcbRq1 IMY4ZqOi5Px2siXKBDGH1ZBr8eB8HPLYoKr4ImoYE3zqUvof7gOeAUScaCS9pNQOJnHesOkdyke vjlAebLuFb0ZZ/IVrdkj+NS7aPjquL6DW/oyvLrV+ X-Received: by 10.98.196.205 with SMTP id h74mr1070245pfk.129.1515577748298; Wed, 10 Jan 2018 01:49:08 -0800 (PST) X-Google-Smtp-Source: ACJfBosRGuXh4Z1SbkyMeFdGbxZVS/IH8YeQxhJ8U4v93GxRRfPn56meBohGuCMoF4RFfDC+utDF6g== X-Received: by 10.98.196.205 with SMTP id h74mr1070237pfk.129.1515577748104; Wed, 10 Jan 2018 01:49:08 -0800 (PST) Received: from localhost.localdomain ([175.41.48.77]) by smtp.gmail.com with ESMTPSA id w83sm11733221pfi.56.2018.01.10.01.49.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jan 2018 01:49:07 -0800 (PST) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [CVE-2017-14051][Trusty][Zesty][SRU][PATCH 1/1] scsi: qla2xxx: Fix an integer overflow in sysfs code Date: Wed, 10 Jan 2018 17:48:59 +0800 Message-Id: <20180110094859.14863-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180110094859.14863-1-po-hsu.lin@canonical.com> References: <20180110094859.14863-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Dan Carpenter CVE-2017-14051 The value of "size" comes from the user. When we add "start + size" it could lead to an integer overflow bug. It means we vmalloc() a lot more memory than we had intended. I believe that on 64 bit systems vmalloc() can succeed even if we ask it to allocate huge 4GB buffers. So we would get memory corruption and likely a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). Only root can trigger this bug. Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 Cc: Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") Reported-by: shqking Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen (cherry picked from commit e6f77540c067b48dee10f1e33678415bfcc89017) Signed-off-by: Po-Hsu Lin Acked-by: Kleber Sacilotto de Souza --- drivers/scsi/qla2xxx/qla_attr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c index 5f174b8..08dd6a3 100644 --- a/drivers/scsi/qla2xxx/qla_attr.c +++ b/drivers/scsi/qla2xxx/qla_attr.c @@ -303,6 +303,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, return -EINVAL; if (start > ha->optrom_size) return -EINVAL; + if (size > ha->optrom_size - start) + size = ha->optrom_size - start; switch (val) { case 0: @@ -324,8 +326,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, return -EINVAL; ha->optrom_region_start = start; - ha->optrom_region_size = start + size > ha->optrom_size ? - ha->optrom_size - start : size; + ha->optrom_region_size = start + size; ha->optrom_state = QLA_SREADING; ha->optrom_buffer = vmalloc(ha->optrom_region_size); @@ -392,8 +393,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, } ha->optrom_region_start = start; - ha->optrom_region_size = start + size > ha->optrom_size ? - ha->optrom_size - start : size; + ha->optrom_region_size = start + size; ha->optrom_state = QLA_SWRITING; ha->optrom_buffer = vmalloc(ha->optrom_region_size);