RE: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()

Thu, 09 Jan 2014 11:54:28 -0800 


>-----Original Message-----
>From: Kees Cook [mailto:keesc...@google.com]
>Sent: Friday, January 10, 2014 12:05 AM
>To: Saxena, Sumit
>Cc: Dan Carpenter; DL-MegaRAID Linux; James E.J. Bottomley; linux-
>s...@vger.kernel.org; secur...@kernel.org; Nico Golde; Fabian Yamaguchi
>Subject: Re: [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc()
>
>On Wed, Jan 8, 2014 at 4:27 AM, Saxena, Sumit <sumit.sax...@lsi.com>
>wrote:
>>
>>
>>>-----Original Message-----
>>>From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
>>>Sent: Wednesday, October 30, 2013 10:44 PM
>>>To: DL-MegaRAID Linux
>>>Cc: James E.J. Bottomley; linux-scsi@vger.kernel.org;
>>>secur...@kernel.org; Nico Golde; Fabian Yamaguchi
>>>Subject: [patch] [SCSI] megaraid: missing bounds check in
>>>mimd_to_kioc()
>>>
>>>pthru32->dataxferlen comes from the user so we need to check that it's
>>>not too large so we don't overflow the buffer.
>>>
>>>Reported-by: Nico Golde <n...@ngolde.de>
>>>Reported-by: Fabian Yamaguchi <f...@goesec.de>
>>>Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
>>>---
>>>Please review this carefully because I have not tested it.
>>>
>>>diff --git a/drivers/scsi/megaraid/megaraid_mm.c
>>>b/drivers/scsi/megaraid/megaraid_mm.c
>>>index dfffd0f..a706927 100644
>>>--- a/drivers/scsi/megaraid/megaraid_mm.c
>>>+++ b/drivers/scsi/megaraid/megaraid_mm.c
>>>@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd,
>mraid_mmadp_t
>>>*adp, uioc_t *kioc)
>>>
>>>       pthru32->dataxferaddr   = kioc->buf_paddr;
>>>       if (kioc->data_dir & UIOC_WR) {
>>>+              if (pthru32->dataxferlen > kioc->xferlen)
>>>+                      return -EINVAL;
>>>               if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
>>>                                               pthru32->dataxferlen)) {
>>>                       return (-EFAULT);
>>
>> Acked-by: Sumit Saxena <sumit.sax...@lsi.com>
>>
>> Sumit
>>
>
>Thanks for the Ack. Who normally picks patches for this area?
>
>-Kees
>
James Bottomley(Linux SCSI subsystem maintainer) should pick this patch.

Sumit
>--
>Kees Cook
>Chrome OS Security

Reply via email to