Each Oracle DAX CCB has a corresponding completion area, and the required
number of areas must fit within a previously allocated array of completion
areas beginning at the requested index. Since the completion area index
is specified by a file offset, a user can pass arbitrary values, including
negative numbers. So the index must be thoroughly range checked to prevent
access to addresses outside the bounds of the allocated completion
area array. The index cannot be negative, and it cannot exceed the
total array size, less the number of CCBs requested. The old code did
not check for negative values and was off by one on the upper bound.
Signed-off-by: Rob Gardner <rob.gardner@xxxxxxxxxx>
Signed-off-by: Jonathan Helman <jonathan.helman@xxxxxxxxxx>
Reported-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
---
drivers/sbus/char/oradax.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/sbus/char/oradax.c b/drivers/sbus/char/oradax.c
index d8597d5..96b4ad7 100644
--- a/drivers/sbus/char/oradax.c
+++ b/drivers/sbus/char/oradax.c
@@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *ctx, const char __user *buf,
dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx);
/* for given index and length, verify ca_buf range exists */
- if (idx + nccbs >= DAX_CA_ELEMS) {
+ if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) {
ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL;
return 0;
}
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
