Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934560AbcJUJWW (ORCPT ); Fri, 21 Oct 2016 05:22:22 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:47184 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934471AbcJUJWQ (ORCPT ); Fri, 21 Oct 2016 05:22:16 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marco Grassi , Dan Carpenter , Tomas Henzl , "Martin K. Petersen" Subject: [PATCH 4.8 35/57] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Date: Fri, 21 Oct 2016 11:17:58 +0200 Message-Id: <20161021091437.094222870@linuxfoundation.org> X-Mailer: git-send-email 2.10.0 In-Reply-To: <20161021091435.435647262@linuxfoundation.org> References: <20161021091435.435647262@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1468 Lines: 46 4.8-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream. We need to put an upper bound on "user_len" so the memcpy() doesn't overflow. Reported-by: Marco Grassi Signed-off-by: Dan Carpenter Reviewed-by: Tomas Henzl Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/scsi/arcmsr/arcmsr_hba.c +++ b/drivers/scsi/arcmsr/arcmsr_hba.c @@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struc } case ARCMSR_MESSAGE_WRITE_WQBUFFER: { unsigned char *ver_addr; - int32_t user_len, cnt2end; + uint32_t user_len; + int32_t cnt2end; uint8_t *pQbuffer, *ptmpuserbuffer; ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); if (!ver_addr) { @@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struc } ptmpuserbuffer = ver_addr; user_len = pcmdmessagefld->cmdmessage.Length; + if (user_len > ARCMSR_API_DATA_BUFLEN) { + retvalue = ARCMSR_MESSAGE_FAIL; + kfree(ver_addr); + goto message_out; + } memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len); spin_lock_irqsave(&acb->wqbuffer_lock, flags);