mptfusion: prevent some memory corruption

commit e819cdb198319cccf4af4fc12ac4d796109d8c23 upstream.

These are signed values the come from the user, we put a cap on the
upper bounds but not on the lower bounds.

We use "karg.dataSgeOffset" to calculate "sz".  We verify "sz" and
proceed as if that means that "karg.dataSgeOffset" is correct but this
fails to consider that the "sz" calculations can have integer overflows.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
index dcc8385adeb3b8b830a58cfad62f19604122a52b..39e824f65f5c41d5cb7699a6c8bd611058205354 100644 (file)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -1872,6 +1872,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
        }
        spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
 
+       /* Basic sanity checks to prevent underflows or integer overflows */
+       if (karg.maxReplyBytes < 0 ||
+           karg.dataInSize < 0 ||
+           karg.dataOutSize < 0 ||
+           karg.dataSgeOffset < 0 ||
+           karg.maxSenseBytes < 0 ||
+           karg.dataSgeOffset > ioc->req_sz / 4)
+               return -EINVAL;
+
        /* Verify that the final request frame will not be too large.
         */
        sz = karg.dataSgeOffset * 4;