| From e58690c341643f1176668718a024da9f1e667ca1 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 25 Feb 2020 19:20:56 +0300 |
| Subject: [PATCH] libnvdimm: Out of bounds read in __nd_ioctl() |
| |
| commit f84afbdd3a9e5e10633695677b95422572f920dc upstream. |
| |
| The "cmd" comes from the user and it can be up to 255. It it's more |
| than the number of bits in long, it results out of bounds read when we |
| check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is |
| ND_CMD_CALL (10) so I added a compare against that. |
| |
| Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain |
| Signed-off-by: Dan Williams <dan.j.williams@intel.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c |
| index 0d97158e7ac3..f6ad9d27be6b 100644 |
| --- a/drivers/nvdimm/bus.c |
| +++ b/drivers/nvdimm/bus.c |
| @@ -1006,8 +1006,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, |
| return -EFAULT; |
| } |
| |
| - if (!desc || (desc->out_num + desc->in_num == 0) || |
| - !test_bit(cmd, &cmd_mask)) |
| + if (!desc || |
| + (desc->out_num + desc->in_num == 0) || |
| + cmd > ND_CMD_CALL || |
| + !test_bit(cmd, &cmd_mask)) |
| return -ENOTTY; |
| |
| /* fail write commands (when read-only) */ |
| -- |
| 2.7.4 |
| |
