shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-10 12:57:06 +09:00
Code Issues Packages Projects Releases Wiki Activity

gdth: integer overflow in ioctl

Browse Source 
commit f63ae56e4e upstream.

gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Dan Carpenter
2010-10-08 09:03:07 +02:00
committed by Greg Kroah-Hartman
parent f8d4ab3d9b
commit f89236606b
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/scsi/gdth.c
View File

@@ -4174,6 +4174,14 @@ static int ioc_general(void __user *arg, char *cmnd)
ha = gdth_find_ha(gen.ionode);
if (!ha)
return -EFAULT;
if (gen.data_len > INT_MAX)
return -EINVAL;
if (gen.sense_len > INT_MAX)
return -EINVAL;
if (gen.data_len + gen.sense_len > INT_MAX)
return -EINVAL;
if (gen.data_len + gen.sense_len != 0) {
if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
FALSE, &paddr)))