From: "Chen.Yu"
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
The int variable adapno would < 0, leading to an error
array access for hdb_soft_state[adapno], or an error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..).
The s
I agree that the simpler fix is to change the type of 'adapno' to u32,
which is the type of uioc.adapno to u32.
2013/12/14 Måns Rullgård :
> "Chen.Yu" writes:
>
>> From: "Chen.Yu"
>>
>> There is a potential integer overflow in megadev_ioctl() if
>> userspace passes in a large u32 variable uioc.
"Chen.Yu" writes:
> From: "Chen.Yu"
>
> There is a potential integer overflow in megadev_ioctl() if
> userspace passes in a large u32 variable uioc.adapno.
> The int variable adapno would < 0, leading to an error
> array access for hdb_soft_state[adapno], or an error
> copy_to_user(uioc.uioc_uad
From: "Chen.Yu"
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
The int variable adapno would < 0, leading to an error
array access for hdb_soft_state[adapno], or an error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
Repor
On 12/13/2013 06:31 PM, Yu Chen wrote:
> Thank you! The new patch
> -----
> [PATCH] scsi: integer overflow in megadev_ioctl()
>
> There is a potential integer overflow in megadev_ioctl() if
> userspace passes in a
Thank you! The new patch
-
[PATCH] scsi: integer overflow in megadev_ioctl()
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
Theint variable adapno would < 0, leading
Hi,
On 12/13/2013 05:55 PM, Yu Chen wrote:
> drivers/scsi/megaraid.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
> index 816db12..41bbc21 100644
> --- a/drivers/scsi/megaraid.c
> +++ b/drivers/scsi/megaraid.c
> @@ -
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno. The
int variable adapno would < 0, leading to a error array access
for hdb_soft_state[adapno].
Reported-by: Wenliang Fan
Suggested-by: Qixue Xiao
Signed-off-by: Yu Chen
---
drivers
8 matches
Mail list logo