| From foo@baz Thu Dec 21 09:02:40 CET 2017 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 17 Mar 2017 23:52:35 +0300 |
| Subject: bna: integer overflow bug in debugfs |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| |
| [ Upstream commit 13e2d5187f6b965ba3556caedb914baf81b98ed2 ] |
| |
| We could allocate less memory than intended because we do: |
| |
| bnad->regdata = kzalloc(len << 2, GFP_KERNEL); |
| |
| The shift can overflow leading to a crash. This is debugfs code so the |
| impact is very small. |
| |
| Fixes: 7afc5dbde091 ("bna: Add debugfs interface.") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Rasesh Mody <rasesh.mody@cavium.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c |
| +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c |
| @@ -325,7 +325,7 @@ bnad_debugfs_write_regrd(struct file *fi |
| return PTR_ERR(kern_buf); |
| |
| rc = sscanf(kern_buf, "%x:%x", &addr, &len); |
| - if (rc < 2) { |
| + if (rc < 2 || len > UINT_MAX >> 2) { |
| netdev_warn(bnad->netdev, "failed to read user buffer\n"); |
| kfree(kern_buf); |
| return -EINVAL; |