Message ID | 20180110094859.14863-2-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix for CVE-2017-14051 | expand |
On 01/10/18 10:48, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2017-14051 > > The value of "size" comes from the user. When we add "start + size" it > could lead to an integer overflow bug. > > It means we vmalloc() a lot more memory than we had intended. I believe > that on 64 bit systems vmalloc() can succeed even if we ask it to > allocate huge 4GB buffers. So we would get memory corruption and likely > a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). > > Only root can trigger this bug. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 > > Cc: <stable@vger.kernel.org> > Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") > Reported-by: shqking <shqking@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> > (cherry picked from commit e6f77540c067b48dee10f1e33678415bfcc89017) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > drivers/scsi/qla2xxx/qla_attr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c > index 5f174b8..08dd6a3 100644 > --- a/drivers/scsi/qla2xxx/qla_attr.c > +++ b/drivers/scsi/qla2xxx/qla_attr.c > @@ -303,6 +303,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > return -EINVAL; > if (start > ha->optrom_size) > return -EINVAL; > + if (size > ha->optrom_size - start) > + size = ha->optrom_size - start; > > switch (val) { > case 0: > @@ -324,8 +326,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > return -EINVAL; > > ha->optrom_region_start = start; > - ha->optrom_region_size = start + size > ha->optrom_size ? > - ha->optrom_size - start : size; > + ha->optrom_region_size = start + size; > > ha->optrom_state = QLA_SREADING; > ha->optrom_buffer = vmalloc(ha->optrom_region_size); > @@ -392,8 +393,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > } > > ha->optrom_region_start = start; > - ha->optrom_region_size = start + size > ha->optrom_size ? > - ha->optrom_size - start : size; > + ha->optrom_region_size = start + size; > > ha->optrom_state = QLA_SWRITING; > ha->optrom_buffer = vmalloc(ha->optrom_region_size); > Clean cherry-pick. For trusty: Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Please note that Zesty has reached EOL and doesn't need this fix. Thanks, Kleber
On 10.01.2018 10:48, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2017-14051 > > The value of "size" comes from the user. When we add "start + size" it > could lead to an integer overflow bug. > > It means we vmalloc() a lot more memory than we had intended. I believe > that on 64 bit systems vmalloc() can succeed even if we ask it to > allocate huge 4GB buffers. So we would get memory corruption and likely > a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). > > Only root can trigger this bug. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 > > Cc: <stable@vger.kernel.org> > Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") > Reported-by: shqking <shqking@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> > (cherry picked from commit e6f77540c067b48dee10f1e33678415bfcc89017) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > drivers/scsi/qla2xxx/qla_attr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c > index 5f174b8..08dd6a3 100644 > --- a/drivers/scsi/qla2xxx/qla_attr.c > +++ b/drivers/scsi/qla2xxx/qla_attr.c > @@ -303,6 +303,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > return -EINVAL; > if (start > ha->optrom_size) > return -EINVAL; > + if (size > ha->optrom_size - start) > + size = ha->optrom_size - start; > > switch (val) { > case 0: > @@ -324,8 +326,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > return -EINVAL; > > ha->optrom_region_start = start; > - ha->optrom_region_size = start + size > ha->optrom_size ? > - ha->optrom_size - start : size; > + ha->optrom_region_size = start + size; > > ha->optrom_state = QLA_SREADING; > ha->optrom_buffer = vmalloc(ha->optrom_region_size); > @@ -392,8 +393,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, > } > > ha->optrom_region_start = start; > - ha->optrom_region_size = start + size > ha->optrom_size ? > - ha->optrom_size - start : size; > + ha->optrom_region_size = start + size; > > ha->optrom_state = QLA_SWRITING; > ha->optrom_buffer = vmalloc(ha->optrom_region_size); >
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c index 5f174b8..08dd6a3 100644 --- a/drivers/scsi/qla2xxx/qla_attr.c +++ b/drivers/scsi/qla2xxx/qla_attr.c @@ -303,6 +303,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, return -EINVAL; if (start > ha->optrom_size) return -EINVAL; + if (size > ha->optrom_size - start) + size = ha->optrom_size - start; switch (val) { case 0: @@ -324,8 +326,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, return -EINVAL; ha->optrom_region_start = start; - ha->optrom_region_size = start + size > ha->optrom_size ? - ha->optrom_size - start : size; + ha->optrom_region_size = start + size; ha->optrom_state = QLA_SREADING; ha->optrom_buffer = vmalloc(ha->optrom_region_size); @@ -392,8 +393,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, } ha->optrom_region_start = start; - ha->optrom_region_size = start + size > ha->optrom_size ? - ha->optrom_size - start : size; + ha->optrom_region_size = start + size; ha->optrom_state = QLA_SWRITING; ha->optrom_buffer = vmalloc(ha->optrom_region_size);