linux-scsi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] esas2r: Fix array overrun
@ 2016-02-15 19:01 Alan
  2016-02-16  7:02 ` Johannes Thumshirn
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alan @ 2016-02-15 19:01 UTC (permalink / raw)
  To: thenzl, linux-scsi

Check the array size *before* dereferencing it with a user provided offset

Signed-off-by: Alan Cox <alan@linux.intel.com>
---
 drivers/scsi/esas2r/esas2r_ioctl.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c
index baf9130..3e84834 100644
--- a/drivers/scsi/esas2r/esas2r_ioctl.c
+++ b/drivers/scsi/esas2r/esas2r_ioctl.c
@@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
 	if (ioctl->header.channel == 0xFF) {
 		a = (struct esas2r_adapter *)hostdata;
 	} else {
-		a = esas2r_adapters[ioctl->header.channel];
-		if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
+		if (ioctl->header.channel >= MAX_ADAPTERS ||
+			esas2r_adapters[ioctl->header.channel] == NULL) {
 			ioctl->header.return_code = IOCTL_BAD_CHANNEL;
 			esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
 			kfree(ioctl);
 
 			return -ENOTSUPP;
 		}
+		a = esas2r_adapters[ioctl->header.channel];
 	}
 
 	switch (cmd) {


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] esas2r: Fix array overrun
  2016-02-15 19:01 [PATCH] esas2r: Fix array overrun Alan
@ 2016-02-16  7:02 ` Johannes Thumshirn
  2016-02-16 12:24 ` Tomas Henzl
  2016-02-18  0:16 ` Martin K. Petersen
  2 siblings, 0 replies; 4+ messages in thread
From: Johannes Thumshirn @ 2016-02-16  7:02 UTC (permalink / raw)
  To: Alan; +Cc: thenzl, linux-scsi

On Mon, Feb 15, 2016 at 07:01:29PM +0000, Alan wrote:
> Check the array size *before* dereferencing it with a user provided offset
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>
> ---
>  drivers/scsi/esas2r/esas2r_ioctl.c |    5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/esas2r/esas2r_ioctl.c b/drivers/scsi/esas2r/esas2r_ioctl.c
> index baf9130..3e84834 100644
> --- a/drivers/scsi/esas2r/esas2r_ioctl.c
> +++ b/drivers/scsi/esas2r/esas2r_ioctl.c
> @@ -1360,14 +1360,15 @@ int esas2r_ioctl_handler(void *hostdata, int cmd, void __user *arg)
>  	if (ioctl->header.channel == 0xFF) {
>  		a = (struct esas2r_adapter *)hostdata;
>  	} else {
> -		a = esas2r_adapters[ioctl->header.channel];
> -		if (ioctl->header.channel >= MAX_ADAPTERS || (a == NULL)) {
> +		if (ioctl->header.channel >= MAX_ADAPTERS ||
> +			esas2r_adapters[ioctl->header.channel] == NULL) {
>  			ioctl->header.return_code = IOCTL_BAD_CHANNEL;
>  			esas2r_log(ESAS2R_LOG_WARN, "bad channel value");
>  			kfree(ioctl);
>  
>  			return -ENOTSUPP;
>  		}
> +		a = esas2r_adapters[ioctl->header.channel];
>  	}
>  
>  	switch (cmd) {
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>

-- 
Johannes Thumshirn                                          Storage
jthumshirn@suse.de                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] esas2r: Fix array overrun
  2016-02-15 19:01 [PATCH] esas2r: Fix array overrun Alan
  2016-02-16  7:02 ` Johannes Thumshirn
@ 2016-02-16 12:24 ` Tomas Henzl
  2016-02-18  0:16 ` Martin K. Petersen
  2 siblings, 0 replies; 4+ messages in thread
From: Tomas Henzl @ 2016-02-16 12:24 UTC (permalink / raw)
  To: Alan, linux-scsi

On 15.2.2016 20:01, Alan wrote:
> Check the array size *before* dereferencing it with a user provided offset
>
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Reviewed-by: Tomas Henzl <thenzl@redhat.com>

Tomas


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] esas2r: Fix array overrun
  2016-02-15 19:01 [PATCH] esas2r: Fix array overrun Alan
  2016-02-16  7:02 ` Johannes Thumshirn
  2016-02-16 12:24 ` Tomas Henzl
@ 2016-02-18  0:16 ` Martin K. Petersen
  2 siblings, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2016-02-18  0:16 UTC (permalink / raw)
  To: Alan; +Cc: thenzl, linux-scsi

>>>>> "Alan" == Alan  <gnomes@lxorguk.ukuu.org.uk> writes:

Alan> Check the array size *before* dereferencing it with a user
Alan> provided offset

Applied to 4.6/scsi-queue.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-02-18  0:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-15 19:01 [PATCH] esas2r: Fix array overrun Alan
2016-02-16  7:02 ` Johannes Thumshirn
2016-02-16 12:24 ` Tomas Henzl
2016-02-18  0:16 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).