user_msg[0] is copied in twice from user space. It contains size and is critical. The fix ensures it is not changed in the second copy. Signed-off-by: Kangjie Lu <kjlu@xxxxxxx> --- drivers/scsi/dpt_i2o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 93bd1d1bd5b5..2294520842e0 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1850,6 +1850,8 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) rcode = -EFAULT; goto cleanup; } + /* Ensure it is not changed in the second copy */ + msg[0] = size; sg_count = (size - sg_offset*4) / sizeof(struct sg_simple_element); // TODO add 64 bit API -- 2.17.2 (Apple Git-113)
