Forum | Documentation | Website | Blog

Skip to content
Snippets Groups Projects
Commit c47f5a57 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

gdth: integer overflow in ioctl

commit f63ae56e

 upstream.

gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment