lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 14 Dec 2013 08:35:35 +0800
From:	Yu Chen <chyyuu@...il.com>
To:	Måns Rullgård <mans@...sr.com>
Cc:	linux-kernel@...r.kernel.org, Levente Kurusa <levex@...ux.com>,
	xiaoqixue_1 <xiaoqixue_1@....com>,
	范文良 <fanwlexca@...il.com>,
	megaraidlinux@....com
Subject: Re: [PATCH] scsi: integer overflow in megadev_ioctl()

I agree that the simpler fix is to change the type of 'adapno' to u32,
which is the type of uioc.adapno to u32.


2013/12/14 Måns Rullgård <mans@...sr.com>:
> "Chen.Yu" <chyyuu@...il.com> writes:
>
>> From: "Chen.Yu" <chyyuu@...il.com>
>>
>> There is a potential integer overflow in megadev_ioctl() if
>> userspace passes in a large u32 variable uioc.adapno.
>> The int variable adapno would < 0, leading to an error
>> array access for hdb_soft_state[adapno], or an error
>> copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
>>
>> Reported-by: Wenliang Fan <fanwlexca@...il.com>
>> Suggested-by: Qixue Xiao <xiaoqixue_1@....com>
>> Signed-off-by: Yu Chen <chyyuu@...il.com>
>> Reviewed-by: Levente Kurusa <levex@...ux.com>
>> ---
>>  drivers/scsi/megaraid.c | 15 ++++++++++++---
>>  1 file changed, 12 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
>> index 816db12..0b90c54 100644
>> --- a/drivers/scsi/megaraid.c
>> +++ b/drivers/scsi/megaraid.c
>> @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
>>               /*
>>                * Which adapter
>>                */
>> -             if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
>> +             adapno = GETADAP(uioc.adapno);
>> +             if( adapno < 0 )
>> +                     return (-EINVAL);
>> +             if( adapno >= hba_count )
>>                       return (-ENODEV);
>
> This relies on implementation-defined behaviour when converting an
> unsigned integer to signed integer.  A simpler and more robust fix is to
> make the local variable 'adapno' unsigned.
>
> --
> Måns Rullgård
> mans@...sr.com



--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ