--- /dev/null
+From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Date: Thu, 31 Oct 2013 14:01:02 +0530
+Subject: aacraid: prevent invalid pointer dereference
+
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+
+commit b4789b8e6be3151a955ade74872822f30e8cd914 upstream.
+
+It appears that driver runs into a problem here if fibsize is too small
+because we allocate user_srbcmd with fibsize size only but later we
+access it until user_srbcmd->sg.count to copy it over to srbcmd.
+
+It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
+structure already includes one sg element and this is not needed for
+commands without data. So, we would recommend to add the following
+(instead of test for fibsize == 0).
+
+Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commctrl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_d
+ goto cleanup;
+ }
+
+- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
--- /dev/null
+From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Oct 2013 20:12:51 +0300
+Subject: libertas: potential oops in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream.
+
+If we do a zero size allocation then it will oops. Also we can't be
+sure the user passes us a NUL terminated string so I've added a
+terminator.
+
+This code can only be triggered by root.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/libertas/debugfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct
+ char *p2;
+ struct debug_data *d = f->private_data;
+
+- pdata = kmalloc(cnt, GFP_KERNEL);
++ if (cnt == 0)
++ return 0;
++
++ pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ if (pdata == NULL)
+ return 0;
+
+@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct
+ kfree(pdata);
+ return 0;
+ }
++ pdata[cnt] = '\0';
+
+ p0 = pdata;
+ for (i = 0; i < num_of_items; i++) {
vfs-proc-guarantee-unique-inodes-in-proc.patch
nfs-don-t-allow-nfs_find_actor-to-match-inodes-of-the-wrong-type.patch
+libertas-potential-oops-in-debugfs.patch
+aacraid-prevent-invalid-pointer-dereference.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
