| commit | f89236606b91a98c1944f59ee66265d15e74a7c2 | |
| author | Dan Carpenter <error27@gmail.com> | |
| Fri, 8 Oct 2010 07:03:07 +0000 (8 09:03 +0200) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Mon, 22 Nov 2010 18:47:38 +0000 (22 10:47 -0800) | ||
| tree | f2ea6a44fcbac84dcfd9b17a9f1a643119e205df | treesnapshot (tar.gz zip) |
| parent | f8d4ab3d9bfdb249c3489e92478685b986ef6fcc | commitdiff |
gdth: integer overflow in ioctl
commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.
gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.
We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer. Then when we do the
copy_from_user(), it would result in a memory corruption.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.
gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.
We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer. Then when we do the
copy_from_user(), it would result in a memory corruption.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| drivers/scsi/gdth.c | diffblobblamehistory |