Dear David, Thank you for the quick response, and I think the safest way is check for equal, not only check for not larger than the first checked value, although I’m not sure whether anything wrong would happen if it is smaller. Please let me know if a patch is applied. Thanks!
Bests Pengfei > 在 2016年7月7日,下午11:43,David Carroll <[email protected]> 写道: > >> -----Original Message----- >> From: [email protected] [mailto:linux-scsi- >> [email protected]] On Behalf Of Pengfei Wang >> Sent: Thursday, July 07, 2016 7:00 AM >> To: [email protected] >> Subject: Re: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c >> Hi, >> >> Will anyone bother to confirm and fix this problem I reported last time? From >> the point of view of security, I think it should be fixed. >> I have discovered several cases of the same kind and all have been fixed by >> the maintainers. Thanks! >> >> Pengfei >> > > Hi Pengfei, > > I'm currently working on a patch set for the HBA-1000 card, and I agree with > your assessment. We will check the sizes and return an error if the size is > larger than when first checked; > i.e. > > if (copy_from_user(kfib, arg, size)) { > retval = -EFAULT; > goto cleanup; > } > > if (unlikely((le16_to_cpu(kfib->header.Size) + sizeof(struct > aac_fibhdr)) > size)) { > retval = -EINVAL; > goto cleanup; > } > > Thanks, -Dave > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
