Message ID | 1522558381-31281-1-git-send-email-rob.gardner@oracle.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | sparc64: Properly range check DAX completion index | expand |
On Sat, Mar 31, 2018 at 9:53 PM, Rob Gardner <rob.gardner@oracle.com> wrote: > > Signed-off-by: Rob Gardner <rob.gardner@oracle.com> > Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com> > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> That Reported-by: should be "oguard <oguard@protonmail.com>" I was just the messenger. Linus -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 04/01/2018 11:11 AM, Linus Torvalds wrote: > On Sat, Mar 31, 2018 at 9:53 PM, Rob Gardner <rob.gardner@oracle.com> wrote: >> Signed-off-by: Rob Gardner <rob.gardner@oracle.com> >> Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com> >> Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > That Reported-by: should be "oguard <oguard@protonmail.com>" > > I was just the messenger. > > Linus oguard observed "lack of size check on the copy_from_user", but that wasn't really a bug since 'count' actually is checked in dax_write(). But you noticed that idx could be negative and idx + nccbs could overflow, and this is a genuine bug that nobody else saw. Rob -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Rob Gardner <rob.gardner@oracle.com> Date: Sun, 1 Apr 2018 12:42:46 -0600 > On 04/01/2018 11:11 AM, Linus Torvalds wrote: >> On Sat, Mar 31, 2018 at 9:53 PM, Rob Gardner <rob.gardner@oracle.com> >> wrote: >>> Signed-off-by: Rob Gardner <rob.gardner@oracle.com> >>> Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com> >>> Reported-by: Linus Torvalds <torvalds@linux-foundation.org> >> That Reported-by: should be "oguard <oguard@protonmail.com>" >> >> I was just the messenger. >> >> Linus > > > oguard observed "lack of size check on the copy_from_user", but that > wasn't really a bug since 'count' actually is checked in dax_write(). > > But you noticed that idx could be negative and idx + nccbs could > overflow, and this is a genuine bug that nobody else saw. Agreed, Linus's as the reporter is correct. Applied and queued up for -stable, thank you. -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/sbus/char/oradax.c b/drivers/sbus/char/oradax.c index d8597d5..96b4ad7 100644 --- a/drivers/sbus/char/oradax.c +++ b/drivers/sbus/char/oradax.c @@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *ctx, const char __user *buf, dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx); /* for given index and length, verify ca_buf range exists */ - if (idx + nccbs >= DAX_CA_ELEMS) { + if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) { ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL; return 0; }