From: Greg KH <greg@kroah.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: qla2xxx-upstream@qlogic.com, shqking <shqking@gmail.com>,
Joe Carnuccio <joe.carnuccio@qlogic.com>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH] scsi: qla2xxx: Fix an integer overflow in sysfs code
Date: Wed, 30 Aug 2017 15:12:35 +0200 [thread overview]
Message-ID: <20170830131235.GC12924@kroah.com> (raw)
In-Reply-To: <20170830122106.dmdfril4kwi4p5e5@mwanda>
On Wed, Aug 30, 2017 at 03:21:07PM +0300, Dan Carpenter wrote:
> The value of "size" comes from the user. When we add "start + size"
> it could lead to an integer overflow bug.
>
> It means we vmalloc() a lot more memory than we had intended. I believe
> that on 64 bit systems vmalloc() can succeed even if we ask it to
> allocate huge 4GB buffers. So we would get memory corruption and likely
> a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
>
> Only root can trigger this bug.
>
> Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
> Reported-by: shqking <shqking@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
perhaps?
thanks,
greg k-h
next prev parent reply other threads:[~2017-08-30 13:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAER+mfKPOt03DmPB4FTCjVvQ=2uRSMVbBHP-3CdoG+mQnSiYFw@mail.gmail.com>
2017-08-30 12:21 ` [PATCH] scsi: qla2xxx: Fix an integer overflow in sysfs code Dan Carpenter
[not found] ` <CAER+mf+sKmuDHmdsx_QfFgA4iNCQkhPAOvJBq3ydKpFXh2hJRQ@mail.gmail.com>
2017-08-30 12:36 ` Dan Carpenter
2017-08-30 13:12 ` Greg KH [this message]
2017-08-30 13:20 ` Eric Dumazet
2017-08-30 13:30 ` [PATCH v2] " Dan Carpenter
2017-08-30 17:08 ` Carnuccio, Joe
2017-08-31 2:07 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170830131235.GC12924@kroah.com \
--to=greg@kroah.com \
--cc=dan.carpenter@oracle.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=joe.carnuccio@qlogic.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=qla2xxx-upstream@qlogic.com \
--cc=security@kernel.org \
--cc=shqking@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox