| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Dec 2013 01:31:05 +0800 From: Yu Chen <chyyuu@...il.com> To: Levente Kurusa <levex@...ux.com> Cc: linux-kernel@...r.kernel.org, megaraidlinux@....com, xiaoqixue_1 <xiaoqixue_1@....com>, 范文良 <fanwlexca@...il.com> Subject: Re: [PATCH] scsi: integer overflow in megadev_ioctl() Thank you! The new patch ------------------------------------------------------------- [PATCH] scsi: integer overflow in megadev_ioctl() There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. Theint variable adapno would < 0, leading to a error array access for hdb_soft_state[adapno], or a error copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..) Reported-by: Wenliang Fan <fanwlexca@...il.com> Suggested-by: Qixue Xiao <xiaoqixue_1@....com> Signed-off-by: Yu Chen <chyyuu@...il.com> --- drivers/scsi/megaraid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 41bbc21..0b90c54 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) + adapno = GETADAP(uioc.adapno); + if( adapno < 0 ) + return (-EINVAL); + if( adapno >= hba_count ) return (-ENODEV); if( copy_to_user(uioc.uioc_uaddr, mcontroller+adapno, @@ -3113,8 +3116,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - adapno = GETADAP(uioc.adapno); - if( adapno >= hba_count || adapno < 0 ) + adapno = GETADAP(uioc.adapno); + if( adapno < 0 ) + return (-EINVAL); + if( adapno >= hba_count ) return (-ENODEV); adapter = hba_soft_state[adapno]; @@ -3161,7 +3166,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) + adapno = GETADAP(uioc.adapno); + if( adapno < 0 ) + return (-EINVAL); + if( adapno >= hba_count ) return (-ENODEV); adapter = hba_soft_state[adapno]; -- 1.8.3.2 2013/12/14 Levente Kurusa <levex@...ux.com>: > Hi, > > On 12/13/2013 05:55 PM, Yu Chen wrote: >> drivers/scsi/megaraid.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c >> index 816db12..41bbc21 100644 >> --- a/drivers/scsi/megaraid.c >> +++ b/drivers/scsi/megaraid.c >> @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int >> cmd, unsigned long arg) >> /* >> * Which adapter >> */ >> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) >> + adapno = GETADAP(uioc.adapno); >> + if( adapno >= hba_count || adapno < 0 ) >> return (-ENODEV); > > Wouldn't returning -EINVAL be better? For hba_count I understand that > -ENODEV is returned but for adapno being a passed variable, I would > suggest returning -EINVAL. > > -- > Regards, > Levente Kurusa -- Best Regards ============================================== Yu Chen Ph.D. Associate Professor System Software&Software Engineering Group, Dept. of Computer Science and Technology Tsinghua University, Beijing 100084, P.R. China E-Mail: mailto:yuchen@...nghua.edu.cn chyyuu@...il.com ============================================== -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists