lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <52AB4739.4010006@linux.com>
Date:	Fri, 13 Dec 2013 18:43:21 +0100
From:	Levente Kurusa <levex@...ux.com>
To:	Yu Chen <chyyuu@...il.com>
CC:	linux-kernel@...r.kernel.org, megaraidlinux@....com,
	xiaoqixue_1 <xiaoqixue_1@....com>,
	范文良 <fanwlexca@...il.com>
Subject: Re: [PATCH] scsi: integer overflow in megadev_ioctl()

On 12/13/2013 06:31 PM, Yu Chen wrote:
> Thank you!  The new patch
> -------------------------------------------------------------
> [PATCH] scsi: integer overflow in megadev_ioctl()
> 
> There is a potential integer overflow in megadev_ioctl() if
> userspace passes in a large u32 variable uioc.adapno.
> Theint variable adapno would < 0, leading to a error
Typo here, 'theint' should be 'the int'
also it should be 'an error' instead of 'a error'

> array access for hdb_soft_state[adapno], or a error
Here as well.

> copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
> 
> Reported-by: Wenliang Fan <fanwlexca@...il.com>
> Suggested-by: Qixue Xiao <xiaoqixue_1@....com>
> Signed-off-by: Yu Chen <chyyuu@...il.com>
Reviewed-by: Levente Kurusa <levex@...ux.com>

(Once you have fixed my suggestions :-) )

> ---
>  drivers/scsi/megaraid.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
> index 41bbc21..0b90c54 100644
> --- a/drivers/scsi/megaraid.c
> +++ b/drivers/scsi/megaraid.c
> @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int
> cmd, unsigned long arg)
>   /*
>   * Which adapter
>   */
> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
> + adapno = GETADAP(uioc.adapno);
> + if( adapno < 0 )
> + return (-EINVAL);
> + if( adapno >= hba_count )
>   return (-ENODEV);
> 
>   if( copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,


Total whitespace damage. :-)

Try sending them with 'git send-email' or configure your email client
properly.

Oh, and one last thing. Don't post the v3 as a reply to this, but
instead as a whole new post.

-- 
Regards,
Levente Kurusa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ