[patch] bfa: integer overflow bug in debugfs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Anil Gurumurthy <anil.gurumurthy@qlogic.com>
Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com>,
	"James E.J. Bottomley" <JBottomley@odin.com>,
	linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] bfa: integer overflow bug in debugfs
Date: Mon, 19 Oct 2015 10:17:49 +0000	[thread overview]
Message-ID: <20151019101749.GD26688@mwanda> (raw)

The "len << 2" operation can have an integer overflow and leading to a
kernel crash.  This is debugfs and thus root only so no one really
cares, but we should fix it anyway just to make the static checker
happy.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
index 74a307c..d5832b1 100644
--- a/drivers/scsi/bfa/bfad_debugfs.c
+++ b/drivers/scsi/bfa/bfad_debugfs.c
@@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
 	struct bfad_s *bfad = port->bfad;
 	struct bfa_s *bfa = &bfad->bfa;
 	struct bfa_ioc_s *ioc = &bfa->ioc;
-	int addr, len, rc, i;
+	unsigned int len;
+	int addr, rc, i;
 	u32 *regbuf;
 	void __iomem *rb, *reg_addr;
 	unsigned long flags;
@@ -265,7 +266,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
 		return PTR_ERR(kern_buf);
 
 	rc = sscanf(kern_buf, "%x:%x", &addr, &len);
-	if (rc < 2) {
+	if (rc < 2 || len > UINT_MAX >> 2) {
 		printk(KERN_INFO
 			"bfad[%d]: %s failed to read user buf\n",
 			bfad->inst_no, __func__);

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Anil Gurumurthy <anil.gurumurthy@qlogic.com>
Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com>,
	"James E.J. Bottomley" <JBottomley@odin.com>,
	linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] bfa: integer overflow bug in debugfs
Date: Mon, 19 Oct 2015 13:17:49 +0300	[thread overview]
Message-ID: <20151019101749.GD26688@mwanda> (raw)

The "len << 2" operation can have an integer overflow and leading to a
kernel crash.  This is debugfs and thus root only so no one really
cares, but we should fix it anyway just to make the static checker
happy.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
index 74a307c..d5832b1 100644
--- a/drivers/scsi/bfa/bfad_debugfs.c
+++ b/drivers/scsi/bfa/bfad_debugfs.c
@@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
 	struct bfad_s *bfad = port->bfad;
 	struct bfa_s *bfa = &bfad->bfa;
 	struct bfa_ioc_s *ioc = &bfa->ioc;
-	int addr, len, rc, i;
+	unsigned int len;
+	int addr, rc, i;
 	u32 *regbuf;
 	void __iomem *rb, *reg_addr;
 	unsigned long flags;
@@ -265,7 +266,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
 		return PTR_ERR(kern_buf);
 
 	rc = sscanf(kern_buf, "%x:%x", &addr, &len);
-	if (rc < 2) {
+	if (rc < 2 || len > UINT_MAX >> 2) {
 		printk(KERN_INFO
 			"bfad[%d]: %s failed to read user buf\n",
 			bfad->inst_no, __func__);

next             reply	other threads:[~2015-10-19 10:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-19 10:17 Dan Carpenter [this message]
2015-10-19 10:17 ` [patch] bfa: integer overflow bug in debugfs Dan Carpenter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:74a307c dfblob:d5832b1 dfblob:74a307c dfblob:d5832b1 )
 OR (
bs:"[patch] bfa: integer overflow bug in debugfs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151019101749.GD26688@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=JBottomley@odin.com \
    --cc=anil.gurumurthy@qlogic.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=sudarsana.kalluru@qlogic.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.