Commit e819cdb1 authored by Dan Carpenter's avatar Dan Carpenter Committed by James Bottomley

mptfusion: prevent some memory corruption

These are signed values the come from the user, we put a cap on the
upper bounds but not on the lower bounds.

We use "karg.dataSgeOffset" to calculate "sz".  We verify "sz" and
proceed as if that means that "karg.dataSgeOffset" is correct but this
fails to consider that the "sz" calculations can have integer overflows.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
parent 8d6a9f56
......@@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
}
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
/* Basic sanity checks to prevent underflows or integer overflows */
if (karg.maxReplyBytes < 0 ||
karg.dataInSize < 0 ||
karg.dataOutSize < 0 ||
karg.dataSgeOffset < 0 ||
karg.maxSenseBytes < 0 ||
karg.dataSgeOffset > ioc->req_sz / 4)
return -EINVAL;
/* Verify that the final request frame will not be too large.
*/
sz = karg.dataSgeOffset * 4;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment