There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to a error array access for hdb_soft_state[adapno].
Reported-by: Wenliang Fan <fanwle...@gmail.com> Suggested-by: Qixue Xiao <xiaoqixu...@163.com> Signed-off-by: Yu Chen <chy...@gmail.com> --- drivers/scsi/megaraid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 816db12..41bbc21 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) + adapno = GETADAP(uioc.adapno); + if( adapno >= hba_count || adapno < 0 ) return (-ENODEV); adapter = hba_soft_state[adapno]; -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
