[PATCH] scsi: integer overflow in megadev_ioctl()

[Chen.Yu]

From: "Chen.Yu" <chyyuu@xxxxxxxxx>

There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
The int variable adapno would < 0, leading to an error
array access for hdb_soft_state[adapno], or an error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..).
The simple fix is to  the simpler fix is to change the type
of 'adapno' to u32, which is the type of uioc.adapno to u32.

Signed-off-by: Yu Chen <chyyuu@xxxxxxxxx>
---
 drivers/scsi/megaraid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..724c5a5 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3038,7 +3038,7 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 {
 	adapter_t	*adapter;
 	nitioctl_t	uioc;
-	int		adapno;
+	u32		adapno;
 	int		rval;
 	mega_passthru	__user *upthru;	/* user address for passthru */
 	mega_passthru	*pthru;		/* copy user passthru here */
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/