[kernel/stabilization] CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
Josh Boyer
jwboyer at fedoraproject.org
Mon Nov 25 16:36:57 UTC 2013
commit 96d245ede5fa0b9cd51df3ebc1eae6b792b347cd
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Nov 25 11:34:44 2013 -0500
CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
aacraid-prevent-invalid-pointer-dereference.patch | 42 +++++++++++++++++++++
kernel.spec | 7 +++
2 files changed, 49 insertions(+), 0 deletions(-)
---
diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch
new file mode 100644
index 0000000..f5517ab
--- /dev/null
+++ b/aacraid-prevent-invalid-pointer-dereference.patch
@@ -0,0 +1,42 @@
+Bugzilla: 1033593
+Upstream-status: 3.13
+
+From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara at pmcs.com>
+Date: Thu, 31 Oct 2013 14:01:02 +0530
+Subject: [PATCH] aacraid: prevent invalid pointer dereference
+
+It appears that driver runs into a problem here if fibsize is too small
+because we allocate user_srbcmd with fibsize size only but later we
+access it until user_srbcmd->sg.count to copy it over to srbcmd.
+
+It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
+structure already includes one sg element and this is not needed for
+commands without data. So, we would recommend to add the following
+(instead of test for fibsize == 0).
+
+Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara at pmcs.com>
+Reported-by: Nico Golde <nico at ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs at goesec.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ drivers/scsi/aacraid/commctrl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index d85ac1a..fbcd48d 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
+ goto cleanup;
+ }
+
+- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
+--
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index 17e4780..2ddb824 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -763,6 +763,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
#CVE-2013-6378 rhbz 1033578 1034183
Patch25155: libertas-potential-oops-in-debugfs.patch
+#CVE-2013-6380 rhbz 1033593 1034304
+Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1494,6 +1497,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
#CVE-2013-6378 rhbz 1033578 1034183
ApplyPatch libertas-potential-oops-in-debugfs.patch
+#CVE-2013-6380 rhbz 1033593 1034304
+ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2298,6 +2304,7 @@ fi
# || ||
%changelog
* Mon Nov 25 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
* Sat Nov 23 2013 Peter Robinson <pbrobinson at fedoraproject.org>
More information about the scm-commits
mailing list