Dear David, Thank you for the quick response, and I think the safest way is check for equal, not only check for not larger than the first checked value, although I’m not sure whether anything wrong would happen if it is smaller. Please let me know if a patch is applied. Thanks! Bests Pengfei > 在 2016年7月7日,下午11:43,David Carroll <david.carroll@xxxxxxxxxxxxx> 写道: > >> -----Original Message----- >> From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi- >> owner@xxxxxxxxxxxxxxx] On Behalf Of Pengfei Wang >> Sent: Thursday, July 07, 2016 7:00 AM >> To: linux-scsi@xxxxxxxxxxxxxxx >> Subject: Re: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c >> Hi, >> >> Will anyone bother to confirm and fix this problem I reported last time? From >> the point of view of security, I think it should be fixed. >> I have discovered several cases of the same kind and all have been fixed by >> the maintainers. Thanks! >> >> Pengfei >> > > Hi Pengfei, > > I'm currently working on a patch set for the HBA-1000 card, and I agree with your assessment. We will check the sizes and return an error if the size is larger than when first checked; > i.e. > > if (copy_from_user(kfib, arg, size)) { > retval = -EFAULT; > goto cleanup; > } > > if (unlikely((le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr)) > size)) { > retval = -EINVAL; > goto cleanup; > } > > Thanks, -Dave > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
