| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Dec 2013 00:55:53 +0800 From: Yu Chen <chyyuu@...il.com> To: linux-kernel@...r.kernel.org Cc: megaraidlinux@....com, xiaoqixue_1 <xiaoqixue_1@....com>, 范文良 <fanwlexca@...il.com> Subject: [PATCH] scsi: integer overflow in megadev_ioctl() There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to a error array access for hdb_soft_state[adapno]. Reported-by: Wenliang Fan <fanwlexca@...il.com> Suggested-by: Qixue Xiao <xiaoqixue_1@....com> Signed-off-by: Yu Chen <chyyuu@...il.com> --- drivers/scsi/megaraid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 816db12..41bbc21 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) + adapno = GETADAP(uioc.adapno); + if( adapno >= hba_count || adapno < 0 ) return (-ENODEV); adapter = hba_soft_state[adapno]; -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists