* [PATCH] scsi: integer overflow in megadev_ioctl()
@ 2013-12-13 18:41 Chen.Yu
2013-12-13 18:59 ` Måns Rullgård
0 siblings, 1 reply; 8+ messages in thread
From: Chen.Yu @ 2013-12-13 18:41 UTC (permalink / raw)
To: linux-kernel; +Cc: levex, xiaoqixue_1, fanwlexca, Chen.Yu
From: "Chen.Yu" <chyyuu@gmail.com>
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
The int variable adapno would < 0, leading to an error
array access for hdb_soft_state[adapno], or an error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
Reported-by: Wenliang Fan <fanwlexca@gmail.com>
Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
Reviewed-by: Levente Kurusa <levex@linux.com>
---
drivers/scsi/megaraid.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..0b90c54 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
if( copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,
@@ -3113,7 +3116,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
adapter = hba_soft_state[adapno];
@@ -3160,7 +3166,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
adapter = hba_soft_state[adapno];
--
1.8.3.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: integer overflow in megadev_ioctl()
2013-12-13 18:41 [PATCH] scsi: integer overflow in megadev_ioctl() Chen.Yu
@ 2013-12-13 18:59 ` Måns Rullgård
2013-12-14 0:35 ` Yu Chen
0 siblings, 1 reply; 8+ messages in thread
From: Måns Rullgård @ 2013-12-13 18:59 UTC (permalink / raw)
To: Chen.Yu; +Cc: linux-kernel, levex, xiaoqixue_1, fanwlexca
"Chen.Yu" <chyyuu@gmail.com> writes:
> From: "Chen.Yu" <chyyuu@gmail.com>
>
> There is a potential integer overflow in megadev_ioctl() if
> userspace passes in a large u32 variable uioc.adapno.
> The int variable adapno would < 0, leading to an error
> array access for hdb_soft_state[adapno], or an error
> copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
>
> Reported-by: Wenliang Fan <fanwlexca@gmail.com>
> Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
> Signed-off-by: Yu Chen <chyyuu@gmail.com>
> Reviewed-by: Levente Kurusa <levex@linux.com>
> ---
> drivers/scsi/megaraid.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
> index 816db12..0b90c54 100644
> --- a/drivers/scsi/megaraid.c
> +++ b/drivers/scsi/megaraid.c
> @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> /*
> * Which adapter
> */
> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
> + adapno = GETADAP(uioc.adapno);
> + if( adapno < 0 )
> + return (-EINVAL);
> + if( adapno >= hba_count )
> return (-ENODEV);
This relies on implementation-defined behaviour when converting an
unsigned integer to signed integer. A simpler and more robust fix is to
make the local variable 'adapno' unsigned.
--
Måns Rullgård
mans@mansr.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: integer overflow in megadev_ioctl()
2013-12-13 18:59 ` Måns Rullgård
@ 2013-12-14 0:35 ` Yu Chen
0 siblings, 0 replies; 8+ messages in thread
From: Yu Chen @ 2013-12-14 0:35 UTC (permalink / raw)
To: Måns Rullgård
Cc: linux-kernel, Levente Kurusa, xiaoqixue_1,
范文良,
megaraidlinux
I agree that the simpler fix is to change the type of 'adapno' to u32,
which is the type of uioc.adapno to u32.
2013/12/14 Måns Rullgård <mans@mansr.com>:
> "Chen.Yu" <chyyuu@gmail.com> writes:
>
>> From: "Chen.Yu" <chyyuu@gmail.com>
>>
>> There is a potential integer overflow in megadev_ioctl() if
>> userspace passes in a large u32 variable uioc.adapno.
>> The int variable adapno would < 0, leading to an error
>> array access for hdb_soft_state[adapno], or an error
>> copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
>>
>> Reported-by: Wenliang Fan <fanwlexca@gmail.com>
>> Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
>> Signed-off-by: Yu Chen <chyyuu@gmail.com>
>> Reviewed-by: Levente Kurusa <levex@linux.com>
>> ---
>> drivers/scsi/megaraid.c | 15 ++++++++++++---
>> 1 file changed, 12 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
>> index 816db12..0b90c54 100644
>> --- a/drivers/scsi/megaraid.c
>> +++ b/drivers/scsi/megaraid.c
>> @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
>> /*
>> * Which adapter
>> */
>> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
>> + adapno = GETADAP(uioc.adapno);
>> + if( adapno < 0 )
>> + return (-EINVAL);
>> + if( adapno >= hba_count )
>> return (-ENODEV);
>
> This relies on implementation-defined behaviour when converting an
> unsigned integer to signed integer. A simpler and more robust fix is to
> make the local variable 'adapno' unsigned.
>
> --
> Måns Rullgård
> mans@mansr.com
--
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] scsi: integer overflow in megadev_ioctl()
@ 2013-12-14 0:51 Chen.Yu
0 siblings, 0 replies; 8+ messages in thread
From: Chen.Yu @ 2013-12-14 0:51 UTC (permalink / raw)
To: linux-kernel; +Cc: levex, fanwlexca, mans, Chen.Yu
From: "Chen.Yu" <chyyuu@gmail.com>
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
The int variable adapno would < 0, leading to an error
array access for hdb_soft_state[adapno], or an error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..).
The simple fix is to the simpler fix is to change the type
of 'adapno' to u32, which is the type of uioc.adapno to u32.
Signed-off-by: Yu Chen <chyyuu@gmail.com>
---
drivers/scsi/megaraid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..724c5a5 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3038,7 +3038,7 @@ megadev_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
adapter_t *adapter;
nitioctl_t uioc;
- int adapno;
+ u32 adapno;
int rval;
mega_passthru __user *upthru; /* user address for passthru */
mega_passthru *pthru; /* copy user passthru here */
--
1.8.3.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: integer overflow in megadev_ioctl()
2013-12-13 17:31 ` Yu Chen
@ 2013-12-13 17:43 ` Levente Kurusa
0 siblings, 0 replies; 8+ messages in thread
From: Levente Kurusa @ 2013-12-13 17:43 UTC (permalink / raw)
To: Yu Chen
Cc: linux-kernel, megaraidlinux, xiaoqixue_1, 范文良
On 12/13/2013 06:31 PM, Yu Chen wrote:
> Thank you! The new patch
> -------------------------------------------------------------
> [PATCH] scsi: integer overflow in megadev_ioctl()
>
> There is a potential integer overflow in megadev_ioctl() if
> userspace passes in a large u32 variable uioc.adapno.
> Theint variable adapno would < 0, leading to a error
Typo here, 'theint' should be 'the int'
also it should be 'an error' instead of 'a error'
> array access for hdb_soft_state[adapno], or a error
Here as well.
> copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
>
> Reported-by: Wenliang Fan <fanwlexca@gmail.com>
> Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
> Signed-off-by: Yu Chen <chyyuu@gmail.com>
Reviewed-by: Levente Kurusa <levex@linux.com>
(Once you have fixed my suggestions :-) )
> ---
> drivers/scsi/megaraid.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
> index 41bbc21..0b90c54 100644
> --- a/drivers/scsi/megaraid.c
> +++ b/drivers/scsi/megaraid.c
> @@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int
> cmd, unsigned long arg)
> /*
> * Which adapter
> */
> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
> + adapno = GETADAP(uioc.adapno);
> + if( adapno < 0 )
> + return (-EINVAL);
> + if( adapno >= hba_count )
> return (-ENODEV);
>
> if( copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,
Total whitespace damage. :-)
Try sending them with 'git send-email' or configure your email client
properly.
Oh, and one last thing. Don't post the v3 as a reply to this, but
instead as a whole new post.
--
Regards,
Levente Kurusa
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: integer overflow in megadev_ioctl()
2013-12-13 17:01 ` Levente Kurusa
@ 2013-12-13 17:31 ` Yu Chen
2013-12-13 17:43 ` Levente Kurusa
0 siblings, 1 reply; 8+ messages in thread
From: Yu Chen @ 2013-12-13 17:31 UTC (permalink / raw)
To: Levente Kurusa
Cc: linux-kernel, megaraidlinux, xiaoqixue_1, 范文良
Thank you! The new patch
-------------------------------------------------------------
[PATCH] scsi: integer overflow in megadev_ioctl()
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno.
Theint variable adapno would < 0, leading to a error
array access for hdb_soft_state[adapno], or a error
copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,..)
Reported-by: Wenliang Fan <fanwlexca@gmail.com>
Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
---
drivers/scsi/megaraid.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 41bbc21..0b90c54 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3099,7 +3099,10 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
if( copy_to_user(uioc.uioc_uaddr, mcontroller+adapno,
@@ -3113,8 +3116,10 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- adapno = GETADAP(uioc.adapno);
- if( adapno >= hba_count || adapno < 0 )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
adapter = hba_soft_state[adapno];
@@ -3161,7 +3166,10 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno < 0 )
+ return (-EINVAL);
+ if( adapno >= hba_count )
return (-ENODEV);
adapter = hba_soft_state[adapno];
--
1.8.3.2
2013/12/14 Levente Kurusa <levex@linux.com>:
> Hi,
>
> On 12/13/2013 05:55 PM, Yu Chen wrote:
>> drivers/scsi/megaraid.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
>> index 816db12..41bbc21 100644
>> --- a/drivers/scsi/megaraid.c
>> +++ b/drivers/scsi/megaraid.c
>> @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int
>> cmd, unsigned long arg)
>> /*
>> * Which adapter
>> */
>> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
>> + adapno = GETADAP(uioc.adapno);
>> + if( adapno >= hba_count || adapno < 0 )
>> return (-ENODEV);
>
> Wouldn't returning -EINVAL be better? For hba_count I understand that
> -ENODEV is returned but for adapno being a passed variable, I would
> suggest returning -EINVAL.
>
> --
> Regards,
> Levente Kurusa
--
Best Regards
==============================================
Yu Chen
Ph.D. Associate Professor
System Software&Software Engineering Group,
Dept. of Computer Science and Technology
Tsinghua University, Beijing 100084, P.R. China
E-Mail: mailto:yuchen@tsinghua.edu.cn chyyuu@gmail.com
==============================================
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] scsi: integer overflow in megadev_ioctl()
2013-12-13 16:55 Yu Chen
@ 2013-12-13 17:01 ` Levente Kurusa
2013-12-13 17:31 ` Yu Chen
0 siblings, 1 reply; 8+ messages in thread
From: Levente Kurusa @ 2013-12-13 17:01 UTC (permalink / raw)
To: Yu Chen, linux-kernel
Cc: megaraidlinux, xiaoqixue_1, 范文良
Hi,
On 12/13/2013 05:55 PM, Yu Chen wrote:
> drivers/scsi/megaraid.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
> index 816db12..41bbc21 100644
> --- a/drivers/scsi/megaraid.c
> +++ b/drivers/scsi/megaraid.c
> @@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int
> cmd, unsigned long arg)
> /*
> * Which adapter
> */
> - if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
> + adapno = GETADAP(uioc.adapno);
> + if( adapno >= hba_count || adapno < 0 )
> return (-ENODEV);
Wouldn't returning -EINVAL be better? For hba_count I understand that
-ENODEV is returned but for adapno being a passed variable, I would
suggest returning -EINVAL.
--
Regards,
Levente Kurusa
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] scsi: integer overflow in megadev_ioctl()
@ 2013-12-13 16:55 Yu Chen
2013-12-13 17:01 ` Levente Kurusa
0 siblings, 1 reply; 8+ messages in thread
From: Yu Chen @ 2013-12-13 16:55 UTC (permalink / raw)
To: linux-kernel; +Cc: megaraidlinux, xiaoqixue_1, 范文良
There is a potential integer overflow in megadev_ioctl() if
userspace passes in a large u32 variable uioc.adapno. The
int variable adapno would < 0, leading to a error array access
for hdb_soft_state[adapno].
Reported-by: Wenliang Fan <fanwlexca@gmail.com>
Suggested-by: Qixue Xiao <xiaoqixue_1@163.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
---
drivers/scsi/megaraid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 816db12..41bbc21 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -3113,7 +3113,8 @@ megadev_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
/*
* Which adapter
*/
- if( (adapno = GETADAP(uioc.adapno)) >= hba_count )
+ adapno = GETADAP(uioc.adapno);
+ if( adapno >= hba_count || adapno < 0 )
return (-ENODEV);
adapter = hba_soft_state[adapno];
--
1.8.3.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-12-14 0:52 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-13 18:41 [PATCH] scsi: integer overflow in megadev_ioctl() Chen.Yu
2013-12-13 18:59 ` Måns Rullgård
2013-12-14 0:35 ` Yu Chen
-- strict thread matches above, loose matches on Subject: below --
2013-12-14 0:51 Chen.Yu
2013-12-13 16:55 Yu Chen
2013-12-13 17:01 ` Levente Kurusa
2013-12-13 17:31 ` Yu Chen
2013-12-13 17:43 ` Levente Kurusa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.