There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to a error array access for hdb_soft_state[adapno].
Reported-by: Wenliang Fan <[email protected]> Suggested-by: Qixue Xiao <[email protected]> Signed-off-by: Yu Chen <[email protected]> --- drivers/scsi/megaraid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 816db12..41bbc21 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) /* * Which adapter */ - if( (adapno = GETADAP(uioc.adapno)) >= hba_count ) + adapno = GETADAP(uioc.adapno); + if( adapno >= hba_count || adapno < 0 ) return (-ENODEV); adapter = hba_soft_state[adapno]; -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
