A heap-buffer overflow vulnerability was found in the arcmsr_iop_message_xfer() function in 'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux kernel through 4.8.2. The function does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can potentially cause kernel heap corruption and arbitrary kernel code execution. Upstream patch: http://marc.info/?l=linux-scsi&m=147394713328707&w=2 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4bd173c30792791a6daca8c64793ec0a4ae8324f Discussion thread: http://marc.info/?t=147394719700004&r=1&w=2 References: http://seclists.org/oss-sec/2016/q3/535
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1377331]
kernel-4.7.5-200.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7179af3ac1
kernel-4.7.5-100.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-58eda97f25
kernel-4.7.5-200.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.7.5-100.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. 6, 7 and Red Hat Enterprise MRG-2 as only the privileged user can exploit the flaw.