Depends on CONFIG_SCSI_FC_ATTRS which is not set in Chromeos builds. No security impact for ChromeOS users. Will fix but not in stable branches.

Reference: https://patchwork.kernel.org/patch/9929625/

Fix is not yet upstream;  Will apply fix after it is available upstream.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a6a206f584240b54927579ae67cd21467f625c1e

commit a6a206f584240b54927579ae67cd21467f625c1e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Sep 12 17:30:29 2017

UPSTREAM: scsi: qla2xxx: Fix an integer overflow in sysfs code

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

BUG= chromium:761615 
TEST=Build and run

Change-Id: I00e345983bf5f86cc0c654cb113180faa7b68be7
Cc: <stable@vger.kernel.org>
Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e6f77540c067)
Reviewed-on: https://chromium-review.googlesource.com/661140

[modify] https://crrev.com/a6a206f584240b54927579ae67cd21467f625c1e/drivers/scsi/qla2xxx/qla_attr.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b2d7afb0a12bce30da6888353d87f34d0dade18e

commit b2d7afb0a12bce30da6888353d87f34d0dade18e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Sep 12 17:30:25 2017

UPSTREAM: scsi: qla2xxx: Fix an integer overflow in sysfs code

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

BUG= chromium:761615 
TEST=Build and run

Change-Id: I00e345983bf5f86cc0c654cb113180faa7b68be7
Cc: <stable@vger.kernel.org>
Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e6f77540c067)
Reviewed-on: https://chromium-review.googlesource.com/661139

[modify] https://crrev.com/b2d7afb0a12bce30da6888353d87f34d0dade18e/drivers/scsi/qla2xxx/qla_attr.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ad0d33f14baebe677cdf6651533c7ebd8cfecea3

commit ad0d33f14baebe677cdf6651533c7ebd8cfecea3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Sep 12 17:30:27 2017

UPSTREAM: scsi: qla2xxx: Fix an integer overflow in sysfs code

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

BUG= chromium:761615 
TEST=Build and run

Change-Id: I00e345983bf5f86cc0c654cb113180faa7b68be7
Cc: <stable@vger.kernel.org>
Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e6f77540c067)
Reviewed-on: https://chromium-review.googlesource.com/660408
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/ad0d33f14baebe677cdf6651533c7ebd8cfecea3/drivers/scsi/qla2xxx/qla_attr.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3218758148d44e634060418dcffc6e4355e597cc

commit 3218758148d44e634060418dcffc6e4355e597cc
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Sep 12 20:03:20 2017

UPSTREAM: scsi: qla2xxx: Fix an integer overflow in sysfs code

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

BUG= chromium:761615 
TEST=Build and run

Change-Id: I00e345983bf5f86cc0c654cb113180faa7b68be7
Cc: <stable@vger.kernel.org>
Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e6f77540c067)
Reviewed-on: https://chromium-review.googlesource.com/661138

[modify] https://crrev.com/3218758148d44e634060418dcffc6e4355e597cc/drivers/scsi/qla2xxx/qla_attr.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/09dccdd256f25e67b656f838b303c261c666bbab

commit 09dccdd256f25e67b656f838b303c261c666bbab
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Sep 12 20:03:23 2017

UPSTREAM: scsi: qla2xxx: Fix an integer overflow in sysfs code

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

BUG= chromium:761615 
TEST=Build and run

Change-Id: I00e345983bf5f86cc0c654cb113180faa7b68be7
Cc: <stable@vger.kernel.org>
Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e6f77540c067)
Reviewed-on: https://chromium-review.googlesource.com/661137

[modify] https://crrev.com/09dccdd256f25e67b656f838b303c261c666bbab/drivers/scsi/qla2xxx/qla_attr.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot