From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.univention.de ([82.198.197.8]:2689 "EHLO mail.univention.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752417AbcLNMcq (ORCPT ); Wed, 14 Dec 2016 07:32:46 -0500 From: Philipp Hahn To: Sasha Levin Cc: Dan Carpenter , , "Martin K. Petersen" , Philipp Hahn Subject: [PATCH 10/16] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Date: Wed, 14 Dec 2016 13:24:52 +0100 Message-Id: <97b02a4e85d3b3930d24bd157db8e5e8672e55ab.1481713714.git.hahn@univention.de> In-Reply-To: References: In-Reply-To: References: Sender: stable-owner@vger.kernel.org List-ID: From: Dan Carpenter [ Upstream commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 ] We need to put an upper bound on "user_len" so the memcpy() doesn't overflow. References: CVE-2016-7425 Cc: Reported-by: Marco Grassi Signed-off-by: Dan Carpenter Reviewed-by: Tomas Henzl Signed-off-by: Martin K. Petersen Signed-off-by: Philipp Hahn --- drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c index 2926295..c9f87cd 100644 --- a/drivers/scsi/arcmsr/arcmsr_hba.c +++ b/drivers/scsi/arcmsr/arcmsr_hba.c @@ -2300,7 +2300,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, } case ARCMSR_MESSAGE_WRITE_WQBUFFER: { unsigned char *ver_addr; - int32_t user_len, cnt2end; + uint32_t user_len; + int32_t cnt2end; uint8_t *pQbuffer, *ptmpuserbuffer; ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); if (!ver_addr) { @@ -2309,6 +2310,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, } ptmpuserbuffer = ver_addr; user_len = pcmdmessagefld->cmdmessage.Length; + if (user_len > ARCMSR_API_DATA_BUFLEN) { + retvalue = ARCMSR_MESSAGE_FAIL; + kfree(ver_addr); + goto message_out; + } memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len); spin_lock_irqsave(&acb->wqbuffer_lock, flags); -- 2.1.4