summaryrefslogtreecommitdiffstats
path: root/Documentation/HOWTO
diff options
context:
space:
mode:
authorDave Carroll <david.carroll@microsemi.com>2016-08-05 13:44:10 -0600
committerMartin K. Petersen <martin.petersen@oracle.com>2016-08-08 21:34:02 -0400
commitfa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 (patch)
tree911d3db2ec31ca2e6cb401cc68efaa42603b897e /Documentation/HOWTO
parentea0a95d7f162bfa1c9df74471f0064f71cdf80ea (diff)
downloadlinux-stable-fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3.tar.gz
linux-stable-fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3.tar.bz2
linux-stable-fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3.zip
aacraid: Check size values after double-fetch from user
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of- bounds access in aac_fib_send(). We also check the sender size to insure it is not out of bounds. This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: stable@vger.kernel.org Signed-off-by: Dave Carroll <david.carroll@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'Documentation/HOWTO')
0 files changed, 0 insertions, 0 deletions