| From 3de2260140417759c669d391613d583baf03b0cf Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 30 Oct 2013 20:13:51 +0300 |
| Subject: SCSI: megaraid: missing bounds check in mimd_to_kioc() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 3de2260140417759c669d391613d583baf03b0cf upstream. |
| |
| pthru32->dataxferlen comes from the user so we need to check that it's |
| not too large so we don't overflow the buffer. |
| |
| Reported-by: Nico Golde <nico@ngolde.de> |
| Reported-by: Fabian Yamaguchi <fabs@goesec.de> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Sumit Saxena <sumit.saxena@lsi.com> |
| Signed-off-by: James Bottomley <JBottomley@Parallels.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/scsi/megaraid/megaraid_mm.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/drivers/scsi/megaraid/megaraid_mm.c |
| +++ b/drivers/scsi/megaraid/megaraid_mm.c |
| @@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, mraid |
| |
| pthru32->dataxferaddr = kioc->buf_paddr; |
| if (kioc->data_dir & UIOC_WR) { |
| + if (pthru32->dataxferlen > kioc->xferlen) |
| + return -EINVAL; |
| if (copy_from_user(kioc->buf_vaddr, kioc->user_data, |
| pthru32->dataxferlen)) { |
| return (-EFAULT); |