From: Dan Carpenter Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200) Subject: gdth: integer overflow in ioctl X-Git-Tag: firefly_0821_release~9833^2~79^2^2~297 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=962536d9c9b0ed384a4e3bd1011c144f956b6ccb;p=firefly-linux-kernel-4.4.55.git gdth: integer overflow in ioctl commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream. gdth_ioctl_alloc() takes the size variable as an int. copy_from_user() takes the size variable as an unsigned long. gen.data_len and gen.sense_len are unsigned longs. On x86_64 longs are 64 bit and ints are 32 bit. We could pass in a very large number and the allocation would truncate the size to 32 bits and allocate a small buffer. Then when we do the copy_from_user(), it would result in a memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c index b860d650a563..4cf7ffa2dad3 100644 --- a/drivers/scsi/gdth.c +++ b/drivers/scsi/gdth.c @@ -4175,6 +4175,14 @@ static int ioc_general(void __user *arg, char *cmnd) ha = gdth_find_ha(gen.ionode); if (!ha) return -EFAULT; + + if (gen.data_len > INT_MAX) + return -EINVAL; + if (gen.sense_len > INT_MAX) + return -EINVAL; + if (gen.data_len + gen.sense_len > INT_MAX) + return -EINVAL; + if (gen.data_len + gen.sense_len != 0) { if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len, FALSE, &paddr)))