Hi,
On Wed, Oct 30, 2013 at 10:13 AM, Dan Carpenter
<dan.carpenter@xxxxxxxxxx> wrote:
> pthru32->dataxferlen comes from the user so we need to check that it's
> not too large so we don't overflow the buffer.
>
> Reported-by: Nico Golde <nico@xxxxxxxxx>
> Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
I don't see this in Linus's tree nor linux-next yet. Can someone pick this up?
Thanks!
-Kees
> ---
> Please review this carefully because I have not tested it.
>
> diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
> index dfffd0f..a706927 100644
> --- a/drivers/scsi/megaraid/megaraid_mm.c
> +++ b/drivers/scsi/megaraid/megaraid_mm.c
> @@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, mraid_mmadp_t *adp, uioc_t *kioc)
>
> pthru32->dataxferaddr = kioc->buf_paddr;
> if (kioc->data_dir & UIOC_WR) {
> + if (pthru32->dataxferlen > kioc->xferlen)
> + return -EINVAL;
> if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
> pthru32->dataxferlen)) {
> return (-EFAULT);
>
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
