CVE-2010-4157 gdth: integer overflow in ioc_general()
This commit is contained in:
Chuck Ebbert
parent
45a782f6d3
commit
d7c19e06c0
|
|
@ -0,0 +1,41 @@
|
|||
From: Dan Carpenter <error27@gmail.com>
|
||||
Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200)
|
||||
Subject: [SCSI] gdth: integer overflow in ioctl
|
||||
X-Git-Tag: v2.6.37-rc1~6^2~48
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4
|
||||
|
||||
[SCSI] gdth: integer overflow in ioctl
|
||||
|
||||
gdth_ioctl_alloc() takes the size variable as an int.
|
||||
copy_from_user() takes the size variable as an unsigned long.
|
||||
gen.data_len and gen.sense_len are unsigned longs.
|
||||
On x86_64 longs are 64 bit and ints are 32 bit.
|
||||
|
||||
We could pass in a very large number and the allocation would truncate
|
||||
the size to 32 bits and allocate a small buffer. Then when we do the
|
||||
copy_from_user(), it would result in a memory corruption.
|
||||
|
||||
CC: stable@kernel.org
|
||||
Signed-off-by: Dan Carpenter <error27@gmail.com>
|
||||
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
|
||||
index 5a3f931..8411018 100644
|
||||
--- a/drivers/scsi/gdth.c
|
||||
+++ b/drivers/scsi/gdth.c
|
||||
@@ -4177,6 +4177,14 @@ static int ioc_general(void __user *arg, char *cmnd)
|
||||
ha = gdth_find_ha(gen.ionode);
|
||||
if (!ha)
|
||||
return -EFAULT;
|
||||
+
|
||||
+ if (gen.data_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+ if (gen.sense_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+ if (gen.data_len + gen.sense_len > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (gen.data_len + gen.sense_len != 0) {
|
||||
if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
|
||||
FALSE, &paddr)))
|
||||
|
|
@ -898,6 +898,8 @@ Patch13916: bio-take-care-not-overflow-page-count-when-mapping-copying-user-data
|
|||
# CVE-2010-4249
|
||||
Patch13917: af_unix-limit-unix_tot_inflight.patch
|
||||
Patch13918: scm-lower-SCM-MAX-FD.patch
|
||||
# CVE-2010-4157
|
||||
Patch13919: gdth-integer-overflow-in-ioctl.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
|
@ -1720,6 +1722,8 @@ ApplyPatch bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.
|
|||
# CVE-2010-4249
|
||||
ApplyPatch af_unix-limit-unix_tot_inflight.patch
|
||||
ApplyPatch scm-lower-SCM-MAX-FD.patch
|
||||
# CVE-2010-4157
|
||||
ApplyPatch gdth-integer-overflow-in-ioctl.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
|
@ -2342,6 +2346,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Dec 14 2010 Chuck Ebbert <cebbert@redhat.com>
|
||||
- CVE-2010-4157 gdth: integer overflow in ioc_general()
|
||||
|
||||
* Tue Dec 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.34.7-65
|
||||
- CVE-2010-4162 bio: integer overflow page count when mapping/copying user data
|
||||
- CVE-2010-4249 unix socket local dos
|
||||
|
|
|
|||
Loading…
Reference in New Issue