[PATCH 4.13 072/109] scsi: qla2xxx: Fix an integer overflow in sysfs code

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, shqking <shqking@gmail.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.13 072/109] scsi: qla2xxx: Fix an integer overflow in sysfs code
Date: Sun, 24 Sep 2017 22:33:33 +0200	[thread overview]
Message-ID: <20170924203355.987211466@linuxfoundation.org> (raw)
In-Reply-To: <20170924203353.104695385@linuxfoundation.org>

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit e6f77540c067b48dee10f1e33678415bfcc89017 upstream.

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_attr.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
 		return -EINVAL;
 	if (start > ha->optrom_size)
 		return -EINVAL;
+	if (size > ha->optrom_size - start)
+		size = ha->optrom_size - start;

 	mutex_lock(&ha->optrom_mutex);
 	switch (val) {
@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
 		}

 		ha->optrom_region_start = start;
-		ha->optrom_region_size = start + size > ha->optrom_size ?
-		    ha->optrom_size - start : size;
+		ha->optrom_region_size = start + size;

 		ha->optrom_state = QLA_SREADING;
 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
 		}

 		ha->optrom_region_start = start;
-		ha->optrom_region_size = start + size > ha->optrom_size ?
-		    ha->optrom_size - start : size;
+		ha->optrom_region_size = start + size;

 		ha->optrom_state = QLA_SWRITING;
 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);

next prev parent reply	other threads:[~2017-09-24 20:44 UTC|newest]

Thread overview: 117+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-24 20:32 [PATCH 4.13 000/109] 4.13.4-stable review Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 001/109] orangefs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-09-26  0:08   ` Mike Marshall
2017-09-24 20:32 ` [PATCH 4.13 002/109] <linux/uaccess.h>: Fix copy_in_user() declaration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 003/109] IB/hfi1: Revert egress pkey check enforcement Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 004/109] IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 005/109] IB/mlx5: Fix cached MR allocation flow Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 006/109] srcu: Provide ordering for CPU not involved in grace period Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 007/109] smp/hotplug: Handle removal correctly in cpuhp_store_callbacks() Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 008/109] Input: xpad - validate USB endpoint type during probe Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 009/109] drm/amdgpu: read reg in each iterator of psp_wait_for loop Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 010/109] tty: improve tty_insert_flip_char() fast path Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 011/109] tty: improve tty_insert_flip_char() slow path Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 012/109] tty: fix __tty_insert_flip_char regression Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 013/109] pinctrl: samsung: Fix invalid register offset used for Exynos5433 external interrupts Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 014/109] pinctrl: samsung: Fix NULL pointer exception on external interrupts on S3C24xx Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 015/109] pinctrl/amd: save pin registers over suspend/resume Greg Kroah-Hartman
2017-09-26 14:07   ` Petr Mladek
2017-09-27  8:39     ` Greg Kroah-Hartman
2017-09-27 11:29       ` Petr Mladek
2017-09-27 13:49         ` Linus Walleij
2017-09-27 13:51     ` Linus Walleij
2017-09-24 20:32 ` [PATCH 4.13 016/109] Input: i8042 - add Gigabyte P57 to the keyboard reset table Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 017/109] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 018/109] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 019/109] MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 020/109] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 021/109] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 022/109] MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 023/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 024/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 025/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 026/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 027/109] MIPS: math-emu: <MADDF|MSUBF>.S: Fix accuracy (32-bit case) Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 028/109] MIPS: math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case) Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 029/109] docs: disable KASLR when debugging kernel Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 030/109] crypto: ccp - Fix XTS-AES-128 support on v5 CCPs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 031/109] crypto: scompress - dont sleep with preemption disabled Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 034/109] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 035/109] regulator: cpcap: Fix standby mode Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 036/109] wcn36xx: Introduce mutual exclusion of fw configuration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 037/109] ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 038/109] ext4: fix incorrect quotaoff if the quota feature is enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 039/109] ext4: fix quota inconsistency during orphan cleanup for read-only mounts Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 040/109] cxl: Fix driver use count Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 041/109] powerpc/powernv/npu: Move tlb flush before launching ATSD Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 042/109] powerpc/pseries: Dont attempt to acquire drc during memory hot add for assigned lmbs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 043/109] powerpc: Fix DAR reporting when alignment handler faults Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 044/109] block: Relax a check in blk_start_queue() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 045/109] block: directly insert blk-mq request from blk_insert_cloned_request() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 046/109] md/bitmap: copy correct data for bitmap super Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 047/109] md/bitmap: disable bitmap_resize for file-backed bitmaps Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 048/109] skd: Avoid that module unloading triggers a use-after-free Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 049/109] skd: Submit requests to firmware before triggering the doorbell Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 050/109] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 051/109] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 052/109] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 053/109] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 054/109] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 055/109] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 056/109] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 057/109] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 058/109] scsi: qedi: off by one in qedi_get_cmd_from_tid() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 059/109] scsi: aacraid: Fix command send race condition Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 060/109] scsi: megaraid_sas: mismatch of allocated MFI frame size and length exposed in MFI MPT pass through command Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 061/109] scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 062/109] scsi: megaraid_sas: Check valid aen class range to avoid kernel panic Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 063/109] scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 064/109] scsi: storvsc: fix memory leak on ring buffer busy Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 065/109] scsi: sg: factor out sg_fill_request_table() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 066/109] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 067/109] scsi: qla2xxx: Update fw_started flags at qpair creation Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 068/109] scsi: qla2xxx: Correction to vha->vref_count timeout Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 069/109] scsi: qla2xxx: Fix target multiqueue configuration Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 070/109] scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 071/109] scsi: qla2xxx: Use fabric name for Get Port Speed command Greg Kroah-Hartman
2017-09-24 20:33 ` Greg Kroah-Hartman [this message]
2017-09-24 20:33 ` [PATCH 4.13 073/109] mailbox: bcm-flexrm-mailbox: Fix mask used in CMPL_START_ADDR_VALUE() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 074/109] ftrace: Fix debug preempt config name in stack_tracer_{en,dis}able Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 075/109] ftrace: Fix selftest goto location on error Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 076/109] ftrace: Fix memleak when unregistering dynamic ops when tracing disabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 077/109] tracing: Add barrier to trace_printk() buffer nesting modification Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 078/109] tracing: Fix clear of RECORDED_TGID flag when disabling trace event Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 079/109] tracing: Apply trace_clock changes to instance max buffer Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 080/109] ARC: Re-enable MMU upon Machine Check exception Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 081/109] PCI: shpchp: Enable bridge bus mastering if MSI is enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 082/109] PCI: pciehp: Report power fault only once until we clear it Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 083/109] net/netfilter/nf_conntrack_core: Fix net_conntrack_lock() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 084/109] s390/mm: fix local TLB flushing vs. detach of an mm address space Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 085/109] s390/mm: fix race on mm->context.flush_mm Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 086/109] media: v4l2-compat-ioctl32: Fix timespec conversion Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 087/109] media: Revert "[media] lirc_dev: remove superfluous get/put_device() calls" Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 088/109] media: venus: fix copy/paste error in return_buf_error Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 089/109] media: uvcvideo: Prevent heap overflow when accessing mapped controls Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 090/109] media: adv7180: add missing adv7180cp, adv7180st i2c device IDs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 091/109] PM / devfreq: Fix memory leak when fail to register device Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 092/109] ALSA: seq: Cancel pending autoload work at unbinding device Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 093/109] bcache: initialize dirty stripes in flash_dev_run() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 094/109] bcache: Fix leak of bdev reference Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 095/109] bcache: do not subtract sectors_to_gc for bypassed IO Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 096/109] bcache: correct cache_dirty_target in __update_writeback_rate() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 097/109] bcache: Correct return value for sysfs attach errors Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 099/109] bcache: fix for gc and write-back race Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 100/109] bcache: fix bch_hprint crash and improve output Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 101/109] sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 102/109] iwlwifi: add workaround to disable wide channels in 5GHz Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 103/109] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 104/109] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 105/109] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 106/109] mac80211: fix deadlock in driver-managed RX BA session start Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 107/109] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 108/109] genirq/msi: Fix populating multiple interrupts Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 109/109] genirq: Fix cpumask check in __irq_startup_managed() Greg Kroah-Hartman
2017-09-25  1:05 ` [PATCH 4.13 000/109] 4.13.4-stable review Guenter Roeck
2017-09-25  6:29   ` Greg Kroah-Hartman
2017-09-25 23:13 ` Shuah Khan
2017-09-26  7:38   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170924203355.987211466@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=shqking@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).