Re: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()

Kees Cook <keescook@xxxxxxxxxx> · Thu, 9 Jan 2014 12:03:10 -0800

On Thu, Jan 9, 2014 at 11:53 AM, Saxena, Sumit <Sumit.Saxena@xxxxxxx> wrote:
>
>
>>-----Original Message-----
>>From: Kees Cook [mailto:keescook@xxxxxxxxxx]
>>Sent: Friday, January 10, 2014 12:05 AM
>>To: Saxena, Sumit
>>Cc: Dan Carpenter; DL-MegaRAID Linux; James E.J. Bottomley; linux-
>>scsi@xxxxxxxxxxxxxxx; security@xxxxxxxxxx; Nico Golde; Fabian Yamaguchi
>>Subject: Re: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()
>>
>>On Wed, Jan 8, 2014 at 4:27 AM, Saxena, Sumit <Sumit.Saxena@xxxxxxx>
>>wrote:
>>>
>>>
>>>>-----Original Message-----
>>>>From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx]
>>>>Sent: Wednesday, October 30, 2013 10:44 PM
>>>>To: DL-MegaRAID Linux
>>>>Cc: James E.J. Bottomley; linux-scsi@xxxxxxxxxxxxxxx;
>>>>security@xxxxxxxxxx; Nico Golde; Fabian Yamaguchi
>>>>Subject: [patch] [SCSI] megaraid: missing bounds check in
>>>>mimd_to_kioc()
>>>>
>>>>pthru32->dataxferlen comes from the user so we need to check that it's
>>>>not too large so we don't overflow the buffer.
>>>>
>>>>Reported-by: Nico Golde <nico@xxxxxxxxx>
>>>>Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
>>>>Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>>>>---
>>>>Please review this carefully because I have not tested it.
>>>>
>>>>diff --git a/drivers/scsi/megaraid/megaraid_mm.c
>>>>b/drivers/scsi/megaraid/megaraid_mm.c
>>>>index dfffd0f..a706927 100644
>>>>--- a/drivers/scsi/megaraid/megaraid_mm.c
>>>>+++ b/drivers/scsi/megaraid/megaraid_mm.c
>>>>@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd,
>>mraid_mmadp_t
>>>>*adp, uioc_t *kioc)
>>>>
>>>>       pthru32->dataxferaddr   = kioc->buf_paddr;
>>>>       if (kioc->data_dir & UIOC_WR) {
>>>>+              if (pthru32->dataxferlen > kioc->xferlen)
>>>>+                      return -EINVAL;
>>>>               if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
>>>>                                               pthru32->dataxferlen)) {
>>>>                       return (-EFAULT);
>>>
>>> Acked-by: Sumit Saxena <sumit.saxena@xxxxxxx>
>>>
>>> Sumit
>>>
>>
>>Thanks for the Ack. Who normally picks patches for this area?
>>
>>-Kees
>>
> James Bottomley(Linux SCSI subsystem maintainer) should pick this patch.

Okay, thanks. James, can you pick up this patch as well?
https://lkml.org/lkml/2013/12/18/477

Thanks,

-Kees

>
> Sumit
>>--
>>Kees Cook
>>Chrome OS Security
>

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html