[kernel/stabilization] CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)

[Josh Boyer]

commit 96d245ede5fa0b9cd51df3ebc1eae6b792b347cd
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Nov 25 11:34:44 2013 -0500

    CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)

 aacraid-prevent-invalid-pointer-dereference.patch |   42 +++++++++++++++++++++
 kernel.spec                                       |    7 +++
 2 files changed, 49 insertions(+), 0 deletions(-)
---
diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch
new file mode 100644
index 0000000..f5517ab
--- /dev/null
+++ b/aacraid-prevent-invalid-pointer-dereference.patch
@@ -0,0 +1,42 @@
+Bugzilla: 1033593
+Upstream-status: 3.13
+
+From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara at pmcs.com>
+Date: Thu, 31 Oct 2013 14:01:02 +0530
+Subject: [PATCH] aacraid: prevent invalid pointer dereference
+
+It appears that driver runs into a problem here if fibsize is too small
+because we allocate user_srbcmd with fibsize size only but later we
+access it until user_srbcmd->sg.count to copy it over to srbcmd.
+
+It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
+structure already includes one sg element and this is not needed for
+commands without data.  So, we would recommend to add the following
+(instead of test for fibsize == 0).
+
+Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara at pmcs.com>
+Reported-by: Nico Golde <nico at ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs at goesec.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ drivers/scsi/aacraid/commctrl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index d85ac1a..fbcd48d 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
+ 		goto cleanup;
+ 	}
+ 
+-	if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++	if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++	    (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ 		rcode = -EINVAL;
+ 		goto cleanup;
+ 	}
+-- 
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index 17e4780..2ddb824 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -763,6 +763,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
 #CVE-2013-6378 rhbz 1033578 1034183
 Patch25155: libertas-potential-oops-in-debugfs.patch
 
+#CVE-2013-6380 rhbz 1033593 1034304
+Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1494,6 +1497,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
 #CVE-2013-6378 rhbz 1033578 1034183
 ApplyPatch libertas-potential-oops-in-debugfs.patch
 
+#CVE-2013-6380 rhbz 1033593 1034304
+ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2298,6 +2304,7 @@ fi
 #                                    ||     ||
 %changelog
 * Mon Nov 25 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
 - CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
 
 * Sat Nov 23 2013 Peter Robinson <pbrobinson at fedoraproject.org>