On Wed, Jan 8, 2014 at 4:27 AM, Saxena, Sumit <Sumit.Saxena@xxxxxxx> wrote: > > >>-----Original Message----- >>From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] >>Sent: Wednesday, October 30, 2013 10:44 PM >>To: DL-MegaRAID Linux >>Cc: James E.J. Bottomley; linux-scsi@xxxxxxxxxxxxxxx; security@xxxxxxxxxx; >>Nico Golde; Fabian Yamaguchi >>Subject: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc() >> >>pthru32->dataxferlen comes from the user so we need to check that it's >>not too large so we don't overflow the buffer. >> >>Reported-by: Nico Golde <nico@xxxxxxxxx> >>Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx> >>Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> >>--- >>Please review this carefully because I have not tested it. >> >>diff --git a/drivers/scsi/megaraid/megaraid_mm.c >>b/drivers/scsi/megaraid/megaraid_mm.c >>index dfffd0f..a706927 100644 >>--- a/drivers/scsi/megaraid/megaraid_mm.c >>+++ b/drivers/scsi/megaraid/megaraid_mm.c >>@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, >>mraid_mmadp_t *adp, uioc_t *kioc) >> >> pthru32->dataxferaddr = kioc->buf_paddr; >> if (kioc->data_dir & UIOC_WR) { >>+ if (pthru32->dataxferlen > kioc->xferlen) >>+ return -EINVAL; >> if (copy_from_user(kioc->buf_vaddr, kioc->user_data, >> pthru32->dataxferlen)) { >> return (-EFAULT); > > Acked-by: Sumit Saxena <sumit.saxena@xxxxxxx> > > Sumit > Thanks for the Ack. Who normally picks patches for this area? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
