diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-10-04 10:50:37 +0300 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2017-10-16 22:35:13 -0400 |
commit | 3e351275655d3c84dc28abf170def9786db5176d (patch) | |
tree | 88f0f09591a36ad920c5020f4293f3fc27c977ae /drivers/scsi/bfa/bfad_debugfs.c | |
parent | 2269848386c4b8395bc67eaaf7d08011da7c07ef (diff) | |
download | linux-3e351275655d3c84dc28abf170def9786db5176d.tar.gz linux-3e351275655d3c84dc28abf170def9786db5176d.tar.bz2 linux-3e351275655d3c84dc28abf170def9786db5176d.zip |
scsi: bfa: integer overflow in debugfs
We could allocate less memory than intended because we do:
bfad->regdata = kzalloc(len << 2, GFP_KERNEL);
The shift can overflow leading to a crash. This is debugfs code so the
impact is very small. I fixed the network version of this in March with
commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").
Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/bfa/bfad_debugfs.c')
-rw-r--r-- | drivers/scsi/bfa/bfad_debugfs.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c index 8dcd8c70c7ee..05f523971348 100644 --- a/drivers/scsi/bfa/bfad_debugfs.c +++ b/drivers/scsi/bfa/bfad_debugfs.c @@ -255,7 +255,8 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, struct bfad_s *bfad = port->bfad; struct bfa_s *bfa = &bfad->bfa; struct bfa_ioc_s *ioc = &bfa->ioc; - int addr, len, rc, i; + int addr, rc, i; + u32 len; u32 *regbuf; void __iomem *rb, *reg_addr; unsigned long flags; @@ -266,7 +267,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, return PTR_ERR(kern_buf); rc = sscanf(kern_buf, "%x:%x", &addr, &len); - if (rc < 2) { + if (rc < 2 || len > (UINT_MAX >> 2)) { printk(KERN_INFO "bfad[%d]: %s failed to read user buf\n", bfad->inst_no, __func__); |