From patchwork Wed Feb 2 12:27:32 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 81448 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 5ED4DB7103 for ; Wed, 2 Feb 2011 23:27:55 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PkboE-0005fa-7v; Wed, 02 Feb 2011 12:27:42 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PkboC-0005fQ-HU for kernel-team@lists.ubuntu.com; Wed, 02 Feb 2011 12:27:40 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1PkboC-0007tC-G4; Wed, 02 Feb 2011 12:27:40 +0000 Received: from [85.210.144.187] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1PkboC-0005w9-C7; Wed, 02 Feb 2011 12:27:40 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [dapper CVE 1/1] [SCSI] gdth: integer overflow in ioctl, CVE-2010-4157 Date: Wed, 2 Feb 2011 12:27:32 +0000 Message-Id: <1296649653-7523-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1296649653-7523-1-git-send-email-apw@canonical.com> References: <1296649653-7523-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Dan Carpenter gdth_ioctl_alloc() takes the size variable as an int. copy_from_user() takes the size variable as an unsigned long. gen.data_len and gen.sense_len are unsigned longs. On x86_64 longs are 64 bit and ints are 32 bit. We could pass in a very large number and the allocation would truncate the size to 32 bits and allocate a small buffer. Then when we do the copy_from_user(), it would result in a memory corruption. CC: stable@kernel.org Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley CVE-2010-4157 BugLink: http://bugs.launchpad.net/bugs/711797 (back ported from commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4) Adds additional checks for the unit number which is also passed in from userspace. Signed-off-by: Andy Whitcroft --- drivers/scsi/gdth.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c index b9aea77..5d8c626 100644 --- a/drivers/scsi/gdth.c +++ b/drivers/scsi/gdth.c @@ -4984,7 +4984,19 @@ static int ioc_general(void __user *arg, char *cmnd) gen.ionode >= gdth_ctr_count) return -EFAULT; hanum = gen.ionode; + if (hanum >= MAXHA) + return -EINVAL; ha = HADATA(gdth_ctr_tab[hanum]); + if (!ha) + return -EINVAL; + + if (gen.data_len > INT_MAX) + return -EINVAL; + if (gen.sense_len > INT_MAX) + return -EINVAL; + if (gen.data_len + gen.sense_len > INT_MAX) + return -EINVAL; + if (gen.data_len + gen.sense_len != 0) { if (!(buf = gdth_ioctl_alloc(hanum, gen.data_len + gen.sense_len, FALSE, &paddr)))