From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
"Johannes Thumshirn" <jthumshirn@suse.de>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 3.16 19/61] scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
Date: Tue, 09 Jun 2020 19:04:10 +0100 [thread overview]
Message-ID: <lsq.1591725832.803339175@decadent.org.uk> (raw)
In-Reply-To: <lsq.1591725831.850867383@decadent.org.uk>
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit a7043e9529f3c367cc4d82997e00be034cbe57ca upstream.
My static checker complains about an out of bounds read:
drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo()
error: buffer overflow 'hd->sel_timeout' 255 <= u32max.
It's true that we probably should have a bounds check here.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/message/fusion/mptctl.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg)
__FILE__, __LINE__, iocnum);
return -ENODEV;
}
+ if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
+ return -EINVAL;
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
ioc->name));
next prev parent reply other threads:[~2020-06-09 18:11 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 18:03 [PATCH 3.16 00/61] 3.16.85-rc1 review Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 01/61] slcan: Fix memory leak in error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 02/61] can: slcan: Fix use-after-free Read in slcan_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 03/61] slcan: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 04/61] slip: Fix memory leak in slip_open error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 05/61] slip: Fix use-after-free Read in slip_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 06/61] slip: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 07/61] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 08/61] net-sysfs: fix netdev_queue_add_kobject() breakage Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 09/61] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 10/61] net-sysfs: Call dev_hold always in rx_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 11/61] selinux: cleanup error reporting in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 12/61] selinux: convert WARN_ONCE() to printk() " Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 13/61] selinux: Print 'sclass' as string when unrecognized netlink message occurs Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 14/61] selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 15/61] selinux: properly handle multiple messages in selinux_netlink_send() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 16/61] drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 17/61] drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 18/61] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Ben Hutchings
2020-06-09 18:04 ` Ben Hutchings [this message]
2020-06-09 18:04 ` [PATCH 3.16 20/61] scsi: mptfusion: Fix double fetch bug in ioctl Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 21/61] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 22/61] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 23/61] sg: O_EXCL and other lock handling Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 24/61] sg: prevent integer overflow when converting from sectors to bytes Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 25/61] scsi: sg: Change next_cmd_len handling to mirror upstream Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 26/61] scsi: sg: protect accesses to 'reserved' page array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 27/61] scsi: sg: reset 'res_in_use' after unlinking reserved array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 28/61] scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 29/61] scsi: sg: recheck MMAP_IO request length with lock held Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 30/61] scsi: sg: remove 'save_scat_len' Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 31/61] scsi: sg: use standard lists for sg_requests Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 32/61] scsi: sg: off by one in sg_ioctl() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 33/61] scsi: sg: factor out sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 34/61] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 35/61] scsi: sg: Re-fix off by one in sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 36/61] scsi: sg: disable SET_FORCE_LOW_DMA Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 37/61] scsi: sg: check for valid direction before starting the request Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 38/61] scsi: sg: close race condition in sg_remove_sfp_usercontext() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 39/61] scsi: sg: fix SG_DXFER_FROM_DEV transfers Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 40/61] scsi: sg: fix static checker warning in sg_is_valid_dxfer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 41/61] scsi: sg: only check for dxfer_len greater than 256M Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 42/61] scsi: sg: don't return bogus Sg_requests Ben Hutchings
2020-06-09 18:28 ` Tony Battersby
2020-06-09 19:03 ` Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 43/61] scsi: sg: fix minor memory leak in error path Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 44/61] scsi: sg: add sg_remove_request in sg_common_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 45/61] scsi: sg: add sg_remove_request in sg_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 46/61] signal: Extend exec_id to 64bits Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 47/61] USB: gadget: fix illegal array access in binding with UDC Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 48/61] ext4: Make checks for metadata_csum feature safer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 49/61] ext4: protect journal inode's blocks using block_validity Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 50/61] ext4: unsigned int compared against zero Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 51/61] ext4: fix block validity checks for journal inodes using indirect blocks Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 52/61] ext4: don't perform block validity checks on the journal inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 53/61] ext4: add cond_resched() to ext4_protect_reserved_inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 54/61] x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 55/61] x86/cpu: Add a steppings field to struct x86_cpu_id Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 56/61] x86/cpu: Add 'table' argument to cpu_matches() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 57/61] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 58/61] x86/speculation: Add SRBDS vulnerability and mitigation documentation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 59/61] x86/speculation: Add Ivy Bridge to affected list Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 60/61] random: always use batched entropy for get_random_u{32,64} Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 61/61] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Ben Hutchings
2020-06-10 19:08 ` [PATCH 3.16 00/61] 3.16.85-rc1 review Guenter Roeck
2020-06-10 21:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1591725832.803339175@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=jthumshirn@suse.de \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).