releases/3.16.54/scsi-bfa-integer-overflow-in-debugfs.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Wed, 4 Oct 2017 10:50:37 +0300
 Subject: scsi: bfa: integer overflow in debugfs

 commit 3e351275655d3c84dc28abf170def9786db5176d upstream.

 We could allocate less memory than intended because we do:

 	bfad->regdata = kzalloc(len << 2, GFP_KERNEL);

 The shift can overflow leading to a crash.  This is debugfs code so the
 impact is very small.  I fixed the network version of this in March with
 commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").

 Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  drivers/scsi/bfa/bfad_debugfs.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

 --- a/drivers/scsi/bfa/bfad_debugfs.c
 +++ b/drivers/scsi/bfa/bfad_debugfs.c
 @@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *fi
  	struct bfad_s *bfad = port->bfad;
  	struct bfa_s *bfa = &bfad->bfa;
  	struct bfa_ioc_s *ioc = &bfa->ioc;
 -	int addr, len, rc, i;
 +	int addr, rc, i;
 +	u32 len;
  	u32 *regbuf;
  	void __iomem *rb, *reg_addr;
  	unsigned long flags;
 @@ -274,7 +275,7 @@ bfad_debugfs_write_regrd(struct file *fi
  	}

  	rc = sscanf(kern_buf, "%x:%x", &addr, &len);
 -	if (rc < 2) {
 +	if (rc < 2 || len > (UINT_MAX >> 2)) {
  		printk(KERN_INFO
  			"bfad[%d]: %s failed to read user buf\n",
  			bfad->inst_no, __func__);
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Wed, 4 Oct 2017 10:50:37 +0300
	Subject: scsi: bfa: integer overflow in debugfs

	commit 3e351275655d3c84dc28abf170def9786db5176d upstream.

	We could allocate less memory than intended because we do:

	bfad->regdata = kzalloc(len << 2, GFP_KERNEL);

	The shift can overflow leading to a crash. This is debugfs code so the
	impact is very small. I fixed the network version of this in March with
	commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").

	Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	drivers/scsi/bfa/bfad_debugfs.c \| 5 +++--
	1 file changed, 3 insertions(+), 2 deletions(-)

	--- a/drivers/scsi/bfa/bfad_debugfs.c
	+++ b/drivers/scsi/bfa/bfad_debugfs.c
	@@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *fi
	struct bfad_s *bfad = port->bfad;
	struct bfa_s *bfa = &bfad->bfa;
	struct bfa_ioc_s *ioc = &bfa->ioc;
	- int addr, len, rc, i;
	+ int addr, rc, i;
	+ u32 len;
	u32 *regbuf;
	void __iomem rb, reg_addr;
	unsigned long flags;
	@@ -274,7 +275,7 @@ bfad_debugfs_write_regrd(struct file *fi
	}

	rc = sscanf(kern_buf, "%x:%x", &addr, &len);
	- if (rc < 2) {
	+ if (rc < 2 \|\| len > (UINT_MAX >> 2)) {
	printk(KERN_INFO
	"bfad[%d]: %s failed to read user buf\n",
	bfad->inst_no, __func__);