forked from Minki/linux
mptfusion: prevent some memory corruption
These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com>
This commit is contained in:
parent
8d6a9f5676
commit
e819cdb198
@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
|
|||||||
}
|
}
|
||||||
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
|
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
|
||||||
|
|
||||||
|
/* Basic sanity checks to prevent underflows or integer overflows */
|
||||||
|
if (karg.maxReplyBytes < 0 ||
|
||||||
|
karg.dataInSize < 0 ||
|
||||||
|
karg.dataOutSize < 0 ||
|
||||||
|
karg.dataSgeOffset < 0 ||
|
||||||
|
karg.maxSenseBytes < 0 ||
|
||||||
|
karg.dataSgeOffset > ioc->req_sz / 4)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
/* Verify that the final request frame will not be too large.
|
/* Verify that the final request frame will not be too large.
|
||||||
*/
|
*/
|
||||||
sz = karg.dataSgeOffset * 4;
|
sz = karg.dataSgeOffset * 4;
|
||||||
|
Loading…
Reference in New Issue
Block a user