Commit f63ae56e authored Oct 08, 2010 by Dan Carpenter Committed by James Bottomley Oct 25, 2010

[SCSI] gdth: integer overflow in ioctl



gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

parent 546ae796

drivers/scsi/gdth.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -4177,6 +4177,14 @@ static int ioc_general(void __user arg, char cmnd)
		ha = gdth_find_ha(gen.ionode);
		if (!ha)
		return -EFAULT;

		if (gen.data_len > INT_MAX)
		return -EINVAL;
		if (gen.sense_len > INT_MAX)
		return -EINVAL;
		if (gen.data_len + gen.sense_len > INT_MAX)
		return -EINVAL;

		if (gen.data_len + gen.sense_len != 0) {
		if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
		FALSE, &paddr)))