linux-stable/drivers/scsi
Dave Carroll fa00c437ee aacraid: Check size values after double-fetch from user
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2016-08-08 21:34:02 -04:00
..
aacraid aacraid: Check size values after double-fetch from user 2016-08-08 21:34:02 -04:00
aic7xxx aic7xxx: Fix queue depth handling 2016-02-23 21:27:02 -05:00
aic94xx treewide: Fix typos in printk 2016-04-18 11:23:24 +02:00
arcmsr arcmsr: change driver version to v1.30.00.22-20151126 2015-11-30 18:51:20 -05:00
arm scsi: rename SCSI_MAX_{SG, SG_CHAIN}_SEGMENTS 2016-04-15 16:53:14 -04:00
be2iscsi Merge branch 'fixes' into misc 2016-03-15 15:24:44 -07:00
bfa scripts/spelling.txt: add "fimware" misspelling 2016-05-19 19:12:14 -07:00
bnx2fc fcoe: use enum for fip_mode 2016-07-13 22:05:28 -04:00
bnx2i bnx2i: fix spelling mistake "complection" -> "completion" 2016-07-12 23:16:31 -04:00
csiostor scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
cxgbi cxgbi: fix uninitialized flowi6 2016-04-25 16:20:49 -04:00
cxlflash cxlflash: Verify problem state area is mapped before notifying shutdown 2016-07-27 00:32:06 -04:00
device_handler Merge branch 'fixes' into misc 2016-05-17 21:12:50 -04:00
dpt
esas2r scsi: rename SCSI_MAX_{SG, SG_CHAIN}_SEGMENTS 2016-04-15 16:53:14 -04:00
fcoe fcoe: Use kfree_skb() instead of kfree() 2016-08-04 21:29:02 -04:00
fnic fnic: pci_dma_mapping_error() doesn't return an error code 2016-07-20 20:49:17 -04:00
hisi_sas hisi_sas: update driver version to 1.5 2016-07-12 23:16:31 -04:00
ibmvscsi ibmvfc: prevent a potential deadlock 2016-07-15 15:13:52 -04:00
isci Merge branch 'for-4.7-zac' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2016-05-23 17:53:39 -07:00
libfc libfc: sanity check cpu number extracted from xid 2016-07-13 21:49:57 -04:00
libsas scsi:libsas: fix oops caused by assigning a freed task to ->lldd_task 2016-07-20 20:53:35 -04:00
lpfc lpfc: Fix possible NULL pointer dereference 2016-08-02 01:16:28 -04:00
megaraid megaraid_sas: Do not fire MR_DCMD_PD_LIST_QUERY to controllers which do not support it 2016-07-13 22:28:56 -04:00
mpt3sas mpt3sas: Fix panic when aer correct error occurred 2016-07-15 15:08:30 -04:00
mvsas libata/libsas: Define ATA_CMD_NCQ_NON_DATA 2016-05-09 12:36:44 -04:00
osd osd: remove deadcode 2016-02-25 21:11:42 -05:00
pcmcia scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
pm8001 pm8001: fix typo 2016-07-12 23:16:31 -04:00
qla2xxx qla2xxx: Update driver version to 8.07.00.38-k 2016-07-15 15:35:52 -04:00
qla4xxx scsi: qla4xxx: shut up warning for rd_reg_indirect 2016-02-23 21:27:02 -05:00
snic snic: Fix use-after-free in case of a dma mapping error 2016-07-12 23:16:31 -04:00
sym53c8xx_2 scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ufs scsi: ufs: remove unnecessary goto label 2016-07-15 15:44:45 -04:00
.gitignore
3w-9xxx.c 3w-9xxx: don't unmap bounce buffered commands 2015-10-07 10:24:48 -07:00
3w-9xxx.h 3w-9xxx: fix command completion race 2015-04-27 10:10:19 -07:00
3w-sas.c 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-sas.h 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-xxxx.c 3w-xxxx: Pass through compat mode ioctls 2016-01-08 12:51:03 -05:00
3w-xxxx.h 3w-xxxx: fix command completion race 2015-04-27 10:05:55 -07:00
53c700.c scsi: remove current_cmnd field from struct scsi_device 2016-07-13 22:33:23 -04:00
53c700.h scsi: remove current_cmnd field from struct scsi_device 2016-07-13 22:33:23 -04:00
53c700.scr
53c700_d.h_shipped
a100u2w.c scsi: a100u2w: trivial typo in printk 2015-08-07 15:03:42 +02:00
a100u2w.h
a2091.c
a2091.h
a3000.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
a3000.h
a4000t.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
advansys.c Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
aha152x.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha152x.h
aha1542.c scsi: aha1542: avoid uninitialized variable warnings 2016-02-23 21:27:02 -05:00
aha1542.h aha1542: fix include guard and remove useless changelog 2015-04-09 18:08:31 -07:00
aha1740.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha1740.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
am53c974.c am53c974: Fix crash during modprobe 2015-04-17 10:13:56 -07:00
atari_scsi.c atari_scsi: Allow can_queue to be increased for Falcon 2016-04-11 16:57:09 -04:00
atp870u.c atp870u: Introduce atp870_init() 2015-11-25 22:08:55 -05:00
atp870u.h atp870u: Remove scam_on from struct atp_unit 2015-11-25 22:08:52 -05:00
BusLogic.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
BusLogic.h
bvme6000_scsi.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
ch.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-04-14 09:50:27 -07:00
constants.c scsi: reduce CONFIG_SCSI_CONSTANTS=y impact by 8k 2016-04-11 16:57:09 -04:00
dc395x.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
dc395x.h
dmx3191d.c ncr5380: Remove DONT_USE_INTR and AUTOPROBE_IRQ macros 2016-04-11 16:57:09 -04:00
dpt_i2o.c dpt_i2o: fix build warning 2016-02-23 21:27:02 -05:00
dpti.h
dtc.c ncr5380: Remove DONT_USE_INTR and AUTOPROBE_IRQ macros 2016-04-11 16:57:09 -04:00
dtc.h ncr5380: Merge DMA implementation from atari_NCR5380 core driver 2016-04-11 16:57:09 -04:00
eata.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
eata_generic.h
eata_pio.c eata_pio: missing break statement 2016-05-10 22:01:07 -04:00
eata_pio.h
esp_scsi.c scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
esp_scsi.h esp_scsi: correctly detect am53c974 2014-11-24 16:13:16 +01:00
fdomain.c scsi: fdomain: drop fdomain_pci_tbl when built-in 2016-02-23 21:27:02 -05:00
fdomain.h
FlashPoint.c FlashPoint: fix build warning 2015-11-09 16:32:14 -08:00
g_NCR5380.c ncr5380: Update usage documentation 2016-04-11 16:57:09 -04:00
g_NCR5380.h ncr5380: Merge DMA implementation from atari_NCR5380 core driver 2016-04-11 16:57:09 -04:00
g_NCR5380_mmio.c
gdth.c gdth: replace struct timeval with ktime_get_real_seconds() 2016-02-25 21:16:49 -05:00
gdth.h
gdth_ioctl.h
gdth_proc.c gdth: replace struct timeval with ktime_get_real_seconds() 2016-02-25 21:16:49 -05:00
gdth_proc.h
gvp11.c
gvp11.h
hosts.c scsi: remove the disable_blk_mq host flag 2016-07-15 15:11:20 -04:00
hpsa.c hpsa: change hpsa_passthru_ioctl timeout 2016-07-15 15:40:54 -04:00
hpsa.h hpsa: correct handling of HBA device removal 2016-04-29 19:08:24 -04:00
hpsa_cmd.h hpsa: update copyright information 2016-02-23 21:27:02 -05:00
hptiop.c hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
hptiop.h hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
imm.c imm: check parport_claim 2016-02-25 21:10:53 -05:00
imm.h
in2000.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
in2000.h
initio.c SCSI: initio: remove duplicate module device table 2015-11-20 11:39:03 -05:00
initio.h
ipr.c ipr: Fix error return code in ipr_probe_ioa() 2016-08-02 01:19:18 -04:00
ipr.h ipr: Wait to do async scan until scsi host is initialized 2016-07-27 00:32:07 -04:00
ips.c ips: remove pointless #warning 2015-06-02 17:24:54 -07:00
ips.h
iscsi_boot_sysfs.c ibft: Expose iBFT acpi header via sysfs 2016-05-16 11:14:29 -04:00
iscsi_tcp.c scsi_tcp: block BH in TCP callbacks 2016-05-19 11:36:49 -07:00
iscsi_tcp.h iscsi_tcp: Use ahash 2016-01-27 20:36:10 +08:00
jazz_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
Kconfig scsi: ultrastor.c depends on ISA_DMA_API 2016-07-12 23:16:31 -04:00
lasi700.c
libiscsi.c libiscsi: Remove set-but-not-used variables 2016-04-11 16:57:09 -04:00
libiscsi_tcp.c iscsi_tcp: Use ahash 2016-01-27 20:36:10 +08:00
mac53c94.c PCI: Remove includes of asm/pci-bridge.h 2016-02-05 16:29:28 -06:00
mac53c94.h
mac_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
mac_scsi.c mac_scsi: Fix pseudo DMA implementation 2016-04-11 16:57:09 -04:00
Makefile hisi_sas: Add initial bare main driver 2015-11-25 22:12:51 -05:00
megaraid.c megaraid : use dev_printk when possible 2015-08-26 07:23:04 -07:00
megaraid.h
mesh.c PCI: Remove includes of asm/pci-bridge.h 2016-02-05 16:29:28 -06:00
mesh.h
mvme16x_scsi.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
mvme147.c
mvme147.h
mvumi.c scsi: mvumi: use __maybe_unused to hide pm functions 2016-03-05 17:07:46 -05:00
mvumi.h
ncr53c8xx.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ncr53c8xx.h
NCR53c406a.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
NCR5380.c ncr5380: Call complete_cmd() for disconnected commands on bus reset 2016-04-11 16:57:09 -04:00
NCR5380.h mac_scsi: Fix pseudo DMA implementation 2016-04-11 16:57:09 -04:00
NCR_D700.c
NCR_D700.h
NCR_Q720.c
NCR_Q720.h
nsp32.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
nsp32.h
nsp32_debug.c
nsp32_io.h
osst.c scsi: remove scsi_driver owner field 2014-11-24 20:01:28 +01:00
osst.h
osst_detect.h
osst_options.h
pas16.c ncr5380: Remove DONT_USE_INTR and AUTOPROBE_IRQ macros 2016-04-11 16:57:09 -04:00
pas16.h ncr5380: Merge DMA implementation from atari_NCR5380 core driver 2016-04-11 16:57:09 -04:00
pmcraid.c SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
pmcraid.h
ppa.c scsi: ppa: use new parport device model 2016-02-23 21:27:02 -05:00
ppa.h
ps3rom.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qla1280.c qla1280: Don't allocate 512kb of host tags 2016-04-30 09:25:26 -07:00
qla1280.h
qlogicfas.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qlogicfas408.c
qlogicfas408.h
qlogicpti.c qlogicpti: Return correct error code 2016-03-01 20:06:49 -05:00
qlogicpti.h
raid_class.c
script_asm.pl
scsi.c scsi: remove the disable_blk_mq host flag 2016-07-15 15:11:20 -04:00
scsi.h
scsi_common.c scsi: add scsi_set_sense_field_pointer() 2016-04-04 12:07:42 -04:00
scsi_debug.c scsi_debug: fix sleep in invalid context 2016-07-12 23:16:31 -04:00
scsi_devinfo.c SCSI: fix new bug in scsi_dev_info_list string matching 2016-06-29 00:51:31 -04:00
scsi_dh.c scsi_dh: move 'dh_state' sysfs attribute to generic code 2015-12-02 16:29:19 -05:00
scsi_error.c Merge remote-tracking branch 'mkp-scsi/4.7/scsi-fixes' into fixes 2016-06-18 11:59:01 -07:00
scsi_ioctl.c scsi: return EAGAIN when resetting a device under EH 2014-11-12 11:16:12 +01:00
scsi_lib.c scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands 2016-05-22 14:52:45 -04:00
scsi_lib_dma.c
scsi_logging.c scsi_logging: return void for dev_printk() functions 2015-02-04 08:00:24 -08:00
scsi_logging.h scsi: simplify scsi_log_(send|completion) 2014-11-12 11:16:05 +01:00
scsi_module.c
scsi_netlink.c
scsi_pm.c scsi: Set request queue runtime PM status back to active on resume 2016-02-19 10:52:45 -05:00
scsi_priv.h scsi: disable automatic target scan 2016-04-11 16:57:09 -04:00
scsi_proc.c scsi: disable automatic target scan 2016-04-11 16:57:09 -04:00
scsi_sas_internal.h scsi_transport_sas: add 'scsi_target_id' sysfs attribute 2016-03-14 21:05:04 -04:00
scsi_scan.c scsi: Add intermediate STARGET_REMOVE state to scsi_target_state 2016-04-15 16:51:53 -04:00
scsi_sysctl.c
scsi_sysfs.c Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" 2016-04-15 16:53:07 -04:00
scsi_trace.c scsi-trace: define ZBC_IN and ZBC_OUT 2016-04-11 16:57:09 -04:00
scsi_transport_api.h
scsi_transport_fc.c scsi_transport_fc: Unexport scsi_is_fc_vport() 2016-04-11 16:57:09 -04:00
scsi_transport_iscsi.c scsi_transport_iscsi: Declare local symbols static 2016-04-11 16:57:09 -04:00
scsi_transport_sas.c scsi: disable automatic target scan 2016-04-11 16:57:09 -04:00
scsi_transport_spi.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
scsi_transport_srp.c IB/srp: Avoid using uninitialized variable 2015-07-14 13:20:09 -04:00
scsi_typedefs.h
scsicam.c scsi: PC partition tables are little endian 2014-11-12 11:15:54 +01:00
sd.c sd: Fix rw_max for devices that report an optimal xfer size 2016-06-01 22:07:47 -04:00
sd.h sd: Fix rw_max for devices that report an optimal xfer size 2016-06-01 22:07:47 -04:00
sd_dif.c block: Consolidate static integrity profile properties 2015-10-21 14:42:38 -06:00
sense_codes.h scsi: move Additional Sense Codes to separate file 2016-04-11 16:57:09 -04:00
ses.c ses: fix discovery of SATA devices in SAS enclosures 2015-12-18 19:29:50 -08:00
sg.c sg: fix dxferp in from_to case 2016-03-14 15:50:25 -04:00
sgiwd93.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sim710.c scsi: sim710: fix build warning 2016-02-23 21:27:02 -05:00
sni_53c710.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sr.c SCSI: fix crashes in sd and sr runtime PM 2016-01-26 17:24:16 -08:00
sr.h scsi: introduce sdev_prefix_printk() 2014-11-12 11:15:57 +01:00
sr_ioctl.c sr: reduce debug noise in sr_do_ioctl 2015-01-20 19:43:24 +01:00
sr_vendor.c
st.c st: clear ILI if Medium Error 2016-04-25 22:08:16 -04:00
st.h st: Remove obsolete scsi_tape.max_pfn 2015-11-18 11:59:09 -05:00
st_options.h
stex.c stex: Add S3/S4 support 2016-02-23 21:27:02 -05:00
storvsc_drv.c scsi: storvsc: Filter out storvsc messages CD-ROM medium not present 2016-07-12 23:16:31 -04:00
sun3_scsi.c ncr5380: Remove disused atari_NCR5380.c core driver 2016-04-11 16:57:09 -04:00
sun3_scsi.h sun3_scsi: Move macro definitions 2014-11-20 09:11:15 +01:00
sun3_scsi_vme.c
sun3x_esp.c arch, drivers: don't include <asm/io.h> directly, use <linux/io.h> instead 2015-08-10 23:07:05 -04:00
sun_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sym53c416.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
sym53c416.h
t128.c ncr5380: Remove DONT_USE_INTR and AUTOPROBE_IRQ macros 2016-04-11 16:57:09 -04:00
t128.h ncr5380: Merge DMA implementation from atari_NCR5380 core driver 2016-04-11 16:57:09 -04:00
u14-34f.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ultrastor.c
ultrastor.h
virtio_scsi.c virtio/vhost: fixes for 4.2 2015-07-23 13:07:04 -07:00
vmw_pvscsi.c vmw_pvscsi: Change to update maintainer details (name, email) 2016-07-12 23:16:31 -04:00
vmw_pvscsi.h vmw_pvscsi: Change to update maintainer details (name, email) 2016-07-12 23:16:31 -04:00
wd33c93.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
wd33c93.h
wd719x.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
wd719x.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
wd7000.c scsi: wd7000: print sector number as 64-bit 2016-07-12 23:16:31 -04:00
xen-scsifront.c xen: Use correctly the Xen memory terminologies 2015-09-08 18:03:49 +01:00
zalon.c
zorro7xx.c