Commit a361cc00 authored Jan 31, 2011 by Darrick J. Wong Committed by James Bottomley Feb 12, 2011

[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption



If I create a scsi_debug device that is larger than 4GB, the multiplication of
(block * scsi_debug_sector_size) can produce a 64-bit value.  Unfortunately,
the compiler sees two 32-bit quantities and performs a 32-bit multiplication,
thus truncating the bits above 2^32.  This causes the wrong memory location to
be read or written.  Change block and rest to be unsigned long long.

Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

parent 044d78e1

drivers/scsi/scsi_debug.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd,
	unsigned long long lba, unsigned int num, int write)		unsigned long long lba, unsigned int num, int write)
	{		{
	int ret;		int ret;
	unsigned int block, rest = 0;		unsigned long long block, rest = 0;
	int (func)(struct scsi_cmnd , unsigned char *, int);		int (func)(struct scsi_cmnd , unsigned char *, int);

	func = write ? fetch_to_dev_buffer : fill_from_dev_buffer;		func = write ? fetch_to_dev_buffer : fill_from_dev_buffer;