Message size was already validated against inbound_frame_size, but that does not guarantee that it is small enough for the buffer used to store a copy of it on the stack.
Signed-off-by: Guenter Roeck <[email protected]> --- I am also not sure if the previous validation can be trusted, since the size is read again from user space after the initial validation. drivers/message/i2o/i2o_config.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c index 5451bef..aabaafc 100644 --- a/drivers/message/i2o/i2o_config.c +++ b/drivers/message/i2o/i2o_config.c @@ -922,6 +922,10 @@ static int i2o_cfg_passthru(unsigned long arg) } size = size >> 16; size *= 4; + if (size > sizeof(rmsg)) { + rcode = -EFAULT; + goto sg_list_cleanup; + } /* Copy in the user's I2O command */ if (copy_from_user(rmsg, user_msg, size)) { rcode = -EFAULT; -- 1.7.9.7 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
