subject:"\[PATCH\] scsi\: integer overflow in megadev

[PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Chen.Yu

From: "Chen.Yu" There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to an error array access for hdb_soft_state[adapno], or an error copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..). The s

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Yu Chen

I agree that the simpler fix is to change the type of 'adapno' to u32, which is the type of uioc.adapno to u32. 2013/12/14 Måns Rullgård : > "Chen.Yu" writes: > >> From: "Chen.Yu" >> >> There is a potential integer overflow in megadev_ioctl() if >> userspace passes in a large u32 variable uioc.

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Måns Rullgård

"Chen.Yu" writes: > From: "Chen.Yu" > > There is a potential integer overflow in megadev_ioctl() if > userspace passes in a large u32 variable uioc.adapno. > The int variable adapno would < 0, leading to an error > array access for hdb_soft_state[adapno], or an error > copy_to_user(uioc.uioc_uad

[PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Chen.Yu

From: "Chen.Yu" There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to an error array access for hdb_soft_state[adapno], or an error copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..) Repor

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Levente Kurusa

On 12/13/2013 06:31 PM, Yu Chen wrote: > Thank you! The new patch > ----- > [PATCH] scsi: integer overflow in megadev_ioctl() > > There is a potential integer overflow in megadev_ioctl() if > userspace passes in a

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Yu Chen

Thank you! The new patch - [PATCH] scsi: integer overflow in megadev_ioctl() There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. Theint variable adapno would < 0, leading

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Levente Kurusa

Hi, On 12/13/2013 05:55 PM, Yu Chen wrote: > drivers/scsi/megaraid.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c > index 816db12..41bbc21 100644 > --- a/drivers/scsi/megaraid.c > +++ b/drivers/scsi/megaraid.c > @@ -

[PATCH] scsi: integer overflow in megadev_ioctl()

2013-12-13 Thread Yu Chen

There is a potential integer overflow in megadev_ioctl() if userspace passes in a large u32 variable uioc.adapno. The int variable adapno would < 0, leading to a error array access for hdb_soft_state[adapno]. Reported-by: Wenliang Fan Suggested-by: Qixue Xiao Signed-off-by: Yu Chen --- drivers

[PATCH] scsi: integer overflow in megadev_ioctl()

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

[PATCH] scsi: integer overflow in megadev_ioctl()

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

Re: [PATCH] scsi: integer overflow in megadev_ioctl()

[PATCH] scsi: integer overflow in megadev_ioctl()

8 matches

Site Navigation

Mail list logo

Footer information