[PATCH] scsi: integer overflow in megadev_ioctl()

From: Yu Chen
Date: Fri Dec 13 2013 - 11:55:57 EST

Next message: Boris Ostrovsky: "Re: [PATCH V10 03/14] xen/pvh: Implement MMU changes for PVH."
Previous message: Matt Porter: "[PATCH v6 1/9] phy: add phy_get_bus_width()/phy_set_bus_width() calls"
Next in thread: Levente Kurusa: "Re: [PATCH] scsi: integer overflow in megadev_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno. The
int variable adapno would < 0, leading to a error array access
for hdb_soft_state[adapno].

Reported-by: Wenliang Fan <fanwlexca@xxxxxxxxx>
Suggested-by: Qixue Xiao <xiaoqixue_1@xxxxxxx>
Signed-off-by: Yu Chen <chyyuu@xxxxxxxxx>
---
drivers/scsi/megaraid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..41bbc21 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno >= hba_count || adapno < 0 )
return (-ENODEV);

adapter = hba_soft_state[adapno];
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Boris Ostrovsky: "Re: [PATCH V10 03/14] xen/pvh: Implement MMU changes for PVH."
Previous message: Matt Porter: "[PATCH v6 1/9] phy: add phy_get_bus_width()/phy_set_bus_width() calls"
Next in thread: Levente Kurusa: "Re: [PATCH] scsi: integer overflow in megadev_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]