Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / refs/tags/v5.10.116 / . / releases / 3.14.5 / scsi-megaraid-missing-bounds-check-in-mimd_to_kioc.patch
blob: d095cf2f3a489ecc710c0791103d207762d2314e [file] [log] [blame]
From 3de2260140417759c669d391613d583baf03b0cf Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 30 Oct 2013 20:13:51 +0300
Subject: SCSI: megaraid: missing bounds check in mimd_to_kioc()
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 3de2260140417759c669d391613d583baf03b0cf upstream.
pthru32->dataxferlen comes from the user so we need to check that it's
not too large so we don't overflow the buffer.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sumit Saxena <sumit.saxena@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/megaraid/megaraid_mm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, mraid
pthru32->dataxferaddr = kioc->buf_paddr;
if (kioc->data_dir & UIOC_WR) {
+ if (pthru32->dataxferlen > kioc->xferlen)
+ return -EINVAL;
if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
pthru32->dataxferlen)) {
return (-EFAULT);