debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch

   1 From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Wed, 25 May 2016 17:55:10 +0530
   4 Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value
   5
   6 While doing MegaRAID SAS controller command frame lookup, routine
   7 'megasas_lookup_frame' uses 'read_queue_head' value as an index
   8 into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
   9 within array bounds to avoid any OOB access.
  10
  11 Reported-by: Li Qiang <liqiang6-s@360.cn>
  12 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  13 Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
  14 Reviewed-by: Alexander Graf <agraf@suse.de>
  15 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  16 ---
  17
  18 Notes:
  19     CVE-2016-5107
  20
  21  hw/scsi/megasas.c | 2 ++
  22  1 file changed, 2 insertions(+)
  23
  24 diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
  25 index 05c72b0..ebbe270 100644
  26 --- a/hw/scsi/megasas.c
  27 +++ b/hw/scsi/megasas.c
  28 @@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
  29      pa_hi = le32_to_cpu(initq->pi_addr_hi);
  30      s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
  31      s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
  32 +    s->reply_queue_head %= MEGASAS_MAX_FRAMES;
  33      s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
  34 +    s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
  35      flags = le32_to_cpu(initq->flags);
  36      if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
  37          s->flags |= MEGASAS_MASK_USE_QUEUE64;
  38 --
  39 2.1.4
  40