linux-toradex.git/drivers/scsi/aacraid/commctrl.c, branch v4.9.100 Linux kernel for Apalis and Colibri modules aacraid: Check size values after double-fetch from user 2016-08-09T01:34:02+00:00 Dave Carroll david.carroll@microsemi.com 2016-08-05T19:44:10+00:00 fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 In aacraid's ioctl_send_fib() we do two fetches from userspace, one the get the fib header's size and one for the fib itself. Later we use the size field from the second fetch to further process the fib. If for some reason the size from the second fetch is different than from the first fix, we may encounter an out-of- bounds access in aac_fib_send(). We also check the sender size to insure it is not out of bounds. This was reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned CVE-2016-6480. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' Cc: stable@vger.kernel.org Signed-off-by: Dave Carroll <david.carroll@microsemi.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Cc: stable@vger.kernel.org
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
aacraid: use kmemdup 2016-07-13T03:16:31+00:00 Muhammad Falak R Wani falakreyaz@gmail.com 2016-05-19T14:08:33+00:00 22e9f5a61666ed1145a09fbe49ac1a6f2ae7be8e Use kmemdup when some other buffer is immediately copied into allocated region. It replaces call to allocation followed by memcpy, by a single call to kmemdup. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
Use kmemdup when some other buffer is immediately copied into allocated
region. It replaces call to allocation followed by memcpy, by a single
call to kmemdup.

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
aacraid: Fix AIF triggered IOP_RESET 2016-02-24T02:27:02+00:00 Raghava Aditya Renukunta raghavaaditya.renukunta@pmcs.com 2016-02-03T23:06:06+00:00 fbd185986ebafaeac900a1af1829fed2bf03242e while driver removal is in progress or PCI shutdown is invoked, driver kills AIF aacraid thread, but IOCTL requests from the management tools re-start AIF thread leading to IOP_RESET. Fixed by setting adapter_shutdown flag when PCI shutdown is invoked. Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com> Reviewed-by: Shane Seymour <shane.seymour@hpe.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
while driver removal is in progress or PCI shutdown is invoked, driver
kills AIF aacraid thread, but IOCTL requests from the management tools
re-start AIF thread leading to IOP_RESET.

Fixed by setting adapter_shutdown flag when PCI shutdown is invoked.

Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
Reviewed-by: Shane Seymour <shane.seymour@hpe.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
aacraid: Created new mutex for ioctl path 2016-02-24T02:27:02+00:00 Raghava Aditya Renukunta RaghavaAditya.Renukunta@pmcs.com 2016-02-03T23:06:05+00:00 222a9fb376df0f4aec32493a3fb5d18fa56979f2 aac_mutex was used to create protect the ioctl path for only the compat path, it would be make more sense to place mutex in aac_do_ioctl, which is the main ioctl function call that handles all ioctl commands. Created new mutex ioctl_mutex in struct aac_dev to protect switch case in aac_do_ioctl and removed aac_mutex from aac_cfg_ioctl and aac_compat_do_ioctl Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@pmcs.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 
aac_mutex was used to create protect the ioctl path for only the compat
path, it would be make more sense to place mutex in aac_do_ioctl, which
is the main ioctl function call that handles all ioctl commands.

Created new mutex ioctl_mutex in struct aac_dev to protect switch case
in aac_do_ioctl and removed aac_mutex from aac_cfg_ioctl and
aac_compat_do_ioctl

Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@pmcs.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
aacraid: IOCTL pass-through command fix 2015-04-09T23:44:49+00:00 Mahesh Rajashekhara Mahesh.Rajashekhara@pmcs.com 2015-03-26T14:41:23+00:00 2f5d1f7998b67d49263ee9d9a49669e1b8d0e302 The Linux aacriad driver fails to detect the case of SG list count=0 on IOCTL pass-through command and cause intermittent fault. The result is the Linux aacriad driver send down IOCTL pass-through command with one not initialized SG list to firmware when receiving SG list count =0 on pass-through command. Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Murthy Bhat <Murthy.Bhat@pmcs.com> Signed-off-by: James Bottomley <JBottomley@Odin.com> 
The Linux aacriad driver fails to detect the case of SG list count=0 on IOCTL
pass-through command and cause intermittent fault.  The result is the Linux
aacriad driver send down IOCTL pass-through command with one not initialized
SG list to firmware when receiving SG list count =0 on pass-through command.

Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Murthy Bhat <Murthy.Bhat@pmcs.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
aacraid: prevent invalid pointer dereference 2013-11-20T00:27:39+00:00 Mahesh Rajashekhara Mahesh.Rajashekhara@pmcs.com 2013-10-31T08:31:02+00:00 b4789b8e6be3151a955ade74872822f30e8cd914 It appears that driver runs into a problem here if fibsize is too small because we allocate user_srbcmd with fibsize size only but later we access it until user_srbcmd->sg.count to copy it over to srbcmd. It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this structure already includes one sg element and this is not needed for commands without data. So, we would recommend to add the following (instead of test for fibsize == 0). Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
It appears that driver runs into a problem here if fibsize is too small
because we allocate user_srbcmd with fibsize size only but later we
access it until user_srbcmd->sg.count to copy it over to srbcmd.

It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
structure already includes one sg element and this is not needed for
commands without data.  So, we would recommend to add the following
(instead of test for fibsize == 0).

Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers: avoid parsing names as kthread_run() format strings 2013-07-03T23:07:41+00:00 Kees Cook keescook@chromium.org 2013-07-03T22:04:58+00:00 f170168b9a0b61ea1e647b082b38f605f1d3de3e Calling kthread_run with a single name parameter causes it to be handled as a format string. Many callers are passing potentially dynamic string content, so use "%s" in those cases to avoid any potential accidents. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Calling kthread_run with a single name parameter causes it to be handled
as a format string. Many callers are passing potentially dynamic string
content, so use "%s" in those cases to avoid any potential accidents.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[SCSI] aacraid: Series 7 Async. (performance) mode support 2012-07-20T07:59:04+00:00 Mahesh Rajashekhara Mahesh_Rajashekhara@pmc-sierra.com 2012-07-14T12:48:51+00:00 85d22bbf6787c240921539bba224eb221bfb8ee1 - Series 7 Async. (performance) mode support added - New scatter/gather list format for Series 7 - Driver converts s/g list to a firmware suitable list for best performance on Series 7, this can be disabled with driver parameter "aac_convert_sgl" for testing purposes - New container read/write command structure for Series 7 - Fast response support for the SCSI pass-through path added - Async. status response buffer changes Signed-off-by: Mahesh Rajashekhara <Mahesh_Rajashekhara@pmc-sierra.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com> 
- Series 7 Async. (performance) mode support added
- New scatter/gather list format for Series 7
- Driver converts s/g list to a firmware suitable list for best performance on
  Series 7, this can be disabled with driver parameter "aac_convert_sgl" for
  testing purposes
- New container read/write command structure for Series 7
- Fast response support for the SCSI pass-through path added
- Async. status response buffer changes

Signed-off-by: Mahesh Rajashekhara <Mahesh_Rajashekhara@pmc-sierra.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
drivers/scsi/aacraid/commctrl.c: fix mem leak in aac_send_raw_srb() 2012-01-08T22:15:21+00:00 Jesper Juhl jj@chaosbits.net 2012-01-08T21:44:19+00:00 7dd72f5189b257f927cc3b35d98643a5c392f5c3 We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() : We allocate memory: ... struct user_sgmap* usg; usg = kmalloc(actual_fibsize - sizeof(struct aac_srb) + sizeof(struct sgmap), GFP_KERNEL); and then neglect to free it: ... for (i = 0; i < usg->count; i++) { u64 addr; void* p; if (usg->sg[i].count > ((dev->adapter_info.options & AAC_OPT_NEW_COMM) ? (dev->scsi_host_ptr->max_sectors << 9) : 65536)) { rcode = -EINVAL; goto cleanup; ... this 'goto' makes 'usg' go out of scope and leak the memory we allocated. Other exits properly kfree(usg), it's just here it is neglected. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb() :

We allocate memory:

	...
	struct user_sgmap* usg;
	usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
	  + sizeof(struct sgmap), GFP_KERNEL);

and then neglect to free it:

	...
	for (i = 0; i < usg->count; i++) {
		u64 addr;
		void* p;
		if (usg->sg[i].count >
		    ((dev->adapter_info.options &
		     AAC_OPT_NEW_COMM) ?
		      (dev->scsi_host_ptr->max_sectors << 9) :
		      65536)) {
			rcode = -EINVAL;
			goto cleanup;
	... this 'goto' makes 'usg' go out of scope and leak the memory we
	    allocated.

Other exits properly kfree(usg), it's just here it is neglected.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family 2011-03-23T16:36:58+00:00 Mahesh Rajashekhara Mahesh_Rajashekhara@pmc-sierra.com 2011-03-17T09:10:32+00:00 e8b12f0fb8352237525961f14ec933e915848840 Added new hardware device 0x28b interface for PMC-Sierra's SRC based controller family. - new src.c file for 0x28b specific functions - new XPORT header required - sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT) - async. Interface: different inbound queue handling, no outbound I2O queue available, using doorbell ("PmDoorBellResponseSent") and response buffer on the host ("host_rrq") for status - changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending" bit to inform about pending AIF, "AifRequest" command to read AIF, "NoMoreAifDataAvailable" to mark the end of the AIFs Signed-off-by: Mahesh Rajashekhara <aacraid@pmc-sierra.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de> 
Added new hardware device 0x28b interface for PMC-Sierra's SRC based
controller family.

- new src.c file for 0x28b specific functions
- new XPORT header required
- sync. command interface: doorbell bits shifted (SRC_ODR_SHIFT, SRC_IDR_SHIFT)
- async. Interface: different inbound queue handling, no outbound I2O
  queue available, using doorbell ("PmDoorBellResponseSent") and
  response buffer on the host ("host_rrq") for status
- changed AIF (adapter initiated FIBs) interface: "DoorBellAifPending"
  bit to inform about pending AIF, "AifRequest" command to read AIF,
  "NoMoreAifDataAvailable" to mark the end of the AIFs

Signed-off-by: Mahesh Rajashekhara <aacraid@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>