user_msg[0] is a size variable, which is copied in from user space and
checked. It is copied in again from user space after the check, and used
in the following execution. Malicious user programs can race to change
user_msg[0] between the two copies, leading to incorrect size. The fix
ensures to use the checked size.
Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
---
drivers/scsi/dpt_i2o.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 37de8fb186d7..93bd1d1bd5b5 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -1733,6 +1733,9 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg)
if(copy_from_user(msg, user_msg, size)) {
return -EFAULT;
}
+ /* Ensure it is not changed in the second copy */
+ msg[0] = size;
+
get_user(reply_size, &user_reply[0]);
reply_size = reply_size>>16;
if(reply_size > REPLY_FRAME_SIZE){
--
2.17.2 (Apple Git-113)
