RE: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()

"Saxena, Sumit" <Sumit.Saxena@xxxxxxx> · Thu, 9 Jan 2014 19:53:25 +0000



>-----Original Message-----
>From: Kees Cook [mailto:keescook@xxxxxxxxxx]
>Sent: Friday, January 10, 2014 12:05 AM
>To: Saxena, Sumit
>Cc: Dan Carpenter; DL-MegaRAID Linux; James E.J. Bottomley; linux-
>scsi@xxxxxxxxxxxxxxx; security@xxxxxxxxxx; Nico Golde; Fabian Yamaguchi
>Subject: Re: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()
>
>On Wed, Jan 8, 2014 at 4:27 AM, Saxena, Sumit <Sumit.Saxena@xxxxxxx>
>wrote:
>>
>>
>>>-----Original Message-----
>>>From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx]
>>>Sent: Wednesday, October 30, 2013 10:44 PM
>>>To: DL-MegaRAID Linux
>>>Cc: James E.J. Bottomley; linux-scsi@xxxxxxxxxxxxxxx;
>>>security@xxxxxxxxxx; Nico Golde; Fabian Yamaguchi
>>>Subject: [patch] [SCSI] megaraid: missing bounds check in
>>>mimd_to_kioc()
>>>
>>>pthru32->dataxferlen comes from the user so we need to check that it's
>>>not too large so we don't overflow the buffer.
>>>
>>>Reported-by: Nico Golde <nico@xxxxxxxxx>
>>>Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
>>>Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>>>---
>>>Please review this carefully because I have not tested it.
>>>
>>>diff --git a/drivers/scsi/megaraid/megaraid_mm.c
>>>b/drivers/scsi/megaraid/megaraid_mm.c
>>>index dfffd0f..a706927 100644
>>>--- a/drivers/scsi/megaraid/megaraid_mm.c
>>>+++ b/drivers/scsi/megaraid/megaraid_mm.c
>>>@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd,
>mraid_mmadp_t
>>>*adp, uioc_t *kioc)
>>>
>>>       pthru32->dataxferaddr   = kioc->buf_paddr;
>>>       if (kioc->data_dir & UIOC_WR) {
>>>+              if (pthru32->dataxferlen > kioc->xferlen)
>>>+                      return -EINVAL;
>>>               if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
>>>                                               pthru32->dataxferlen)) {
>>>                       return (-EFAULT);
>>
>> Acked-by: Sumit Saxena <sumit.saxena@xxxxxxx>
>>
>> Sumit
>>
>
>Thanks for the Ack. Who normally picks patches for this area?
>
>-Kees
>
James Bottomley(Linux SCSI subsystem maintainer) should pick this patch.

Sumit
>--
>Kees Cook
>Chrome OS Security

��.n��������+%������w��{.n�����{������ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f