summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2015-07-03 11:53:03 +0300
committerSasha Levin <sasha.levin@oracle.com>2015-12-03 10:04:59 -0500
commit654484aa13c5a55879405b340148992ee1da3b56 (patch)
tree312aa8aca8d4ef5f37d84bc2066e657bcaae75e0 /drivers
parent7bb11a7b9027a87d9dcde4d4b16a8f208083154c (diff)
mptfusion: prevent some memory corruption
[ Upstream commit e819cdb198319cccf4af4fc12ac4d796109d8c23 ] These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/message/fusion/mptctl.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
index 70bb7530b22c..fc7393729081 100644
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
}
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
+ /* Basic sanity checks to prevent underflows or integer overflows */
+ if (karg.maxReplyBytes < 0 ||
+ karg.dataInSize < 0 ||
+ karg.dataOutSize < 0 ||
+ karg.dataSgeOffset < 0 ||
+ karg.maxSenseBytes < 0 ||
+ karg.dataSgeOffset > ioc->req_sz / 4)
+ return -EINVAL;
+
/* Verify that the final request frame will not be too large.
*/
sz = karg.dataSgeOffset * 4;
generated by cgit v1.2.3 (git 2.0.4) at 2024-06-13 09:36:35 +0000