[PATCH] scsi: integer overflow in megadev_ioctl()
From: Yu Chen
Date: Fri Dec 13 2013 - 11:55:57 EST
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno. The
int variable adapno would < 0, leading to a error array access
for hdb_soft_state[adapno].
Reported-by: Wenliang Fan <fanwlexca@xxxxxxxxx>
Suggested-by: Qixue Xiao <xiaoqixue_1@xxxxxxx>
Signed-off-by: Yu Chen <chyyuu@xxxxxxxxx>
---
drivers/scsi/megaraid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..41bbc21 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno >= hba_count || adapno < 0 )
return (-ENODEV);
adapter = hba_soft_state[adapno];
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/