Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754893AbbKWNXO (ORCPT ); Mon, 23 Nov 2015 08:23:14 -0500 Received: from mx2.suse.de ([195.135.220.15]:59316 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754230AbbKWNJo (ORCPT ); Mon, 23 Nov 2015 08:09:44 -0500 X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" From: Jiri Slaby To: stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Dan Carpenter , James Bottomley , Oliver Neukum , Jiri Slaby Subject: [PATCH 3.12 29/72] mptfusion: prevent some memory corruption Date: Mon, 23 Nov 2015 14:08:51 +0100 Message-Id: <1f71f19f190bbd80d00b175a039de8b6aa946ecd.1448283890.git.jslaby@suse.cz> X-Mailer: git-send-email 2.6.3 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1852 Lines: 52 From: Dan Carpenter 3.12-stable review patch. If anyone has any objections, please let me know. =============== commit e819cdb198319cccf4af4fc12ac4d796109d8c23 upstream. These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter Reviewed-by: Johannes Thumshirn Signed-off-by: James Bottomley Cc: Oliver Neukum Signed-off-by: Jiri Slaby --- drivers/message/fusion/mptctl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c index dcc8385adeb3..39e824f65f5c 100644 --- a/drivers/message/fusion/mptctl.c +++ b/drivers/message/fusion/mptctl.c @@ -1872,6 +1872,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr) } spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags); + /* Basic sanity checks to prevent underflows or integer overflows */ + if (karg.maxReplyBytes < 0 || + karg.dataInSize < 0 || + karg.dataOutSize < 0 || + karg.dataSgeOffset < 0 || + karg.maxSenseBytes < 0 || + karg.dataSgeOffset > ioc->req_sz / 4) + return -EINVAL; + /* Verify that the final request frame will not be too large. */ sz = karg.dataSgeOffset * 4; -- 2.6.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/