sparc64: Properly range check DAX completion index

Each Oracle DAX CCB has a corresponding completion area, and the required number of areas must fit within a previously allocated array of completion areas beginning at the requested index. Since the completion area index is specified by a file offset, a user can pass arbitrary values, including negative numbers. So the index must be thoroughly range checked to prevent access to addresses outside the bounds of the allocated completion area array. The index cannot be negative, and it cannot exceed the total array size, less the number of CCBs requested. The old code did not check for negative values and was off by one on the upper bound. Signed-off-by: Rob Gardner <rob.gardner@oracle.com> Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com> Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-31 22:53:01 -06:00 · 2018-03-31 22:53:01 -06:00 · 49d7006d9f
commit 49d7006d9f
parent a68277b786
1 changed files with 1 additions and 1 deletions
--- a/drivers/sbus/char/oradax.c
+++ b/drivers/sbus/char/oradax.c
@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *ctx, const char __user *buf,
 	dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx);

 	/* for given index and length, verify ca_buf range exists */
-	if (idx + nccbs >= DAX_CA_ELEMS) {
+	if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) {
 		ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL;
 		return 0;
 	}