korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-22 22:11:38 +08:00
Code Issues Packages Projects Releases Wiki Activity
b5b515445f
linux/drivers
History
Dan Rosenberg b5b515445f [SCSI] pmcraid: reject negative request size 
There's a code path in pmcraid that can be reached via device ioctl that
causes all sorts of ugliness, including heap corruption or triggering the
OOM killer due to consecutive allocation of large numbers of pages.

First, the user can call pmcraid_chr_ioctl(), with a type
PMCRAID_PASSTHROUGH_IOCTL.  This calls through to
pmcraid_ioctl_passthrough().  Next, a pmcraid_passthrough_ioctl_buffer
is copied in, and the request_size variable is set to
buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit
signed value provided by the user.  If a negative value is provided
here, bad things can happen.  For example,
pmcraid_build_passthrough_ioadls() is called with this request_size,
which immediately calls pmcraid_alloc_sglist() with a negative size.
The resulting math on allocating a scatter list can result in an
overflow in the kzalloc() call (if num_elem is 0, the sglist will be
smaller than expected), or if num_elem is unexpectedly large the
subsequent loop will call alloc_pages() repeatedly, a high number of
pages will be allocated and the OOM killer might be invoked.

It looks like preventing this value from being negative in
pmcraid_ioctl_passthrough() would be sufficient.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2011-07-27 17:26:21 +04:00
..
accessibility
acpi Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
amba
ata drivers: use kzalloc/kcalloc instead of 'kmalloc+memset', where possible 2011-07-25 20:57:13 -07:00
atm lanai: use pci_dev->subsystem_device 2011-07-12 07:59:38 -07:00
auxdisplay
base Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2011-07-25 12:53:15 -07:00
bcma Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
block Merge branch 'for-3.1/drivers' of git://git.kernel.dk/linux-block 2011-07-25 10:38:18 -07:00
bluetooth Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-07-15 10:05:24 -04:00
cdrom
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
clk
clocksource Merge branch 'timers-clocksource-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2011-07-23 10:34:47 -07:00
connector drivers/connector/cn_proc.c: remove unused local 2011-07-25 20:57:17 -07:00
cpufreq [CPUFREQ] s5pv210: make needlessly global symbols static 2011-07-13 18:30:00 -04:00
cpuidle
crypto Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2011-07-25 12:53:15 -07:00
dca
dio
dma Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
edac
eisa eisa/pci_eisa.c: fix section mismatch 2011-07-25 20:57:14 -07:00
firewire Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2011-07-22 14:49:48 -07:00
firmware drivers/firmware/sigma.c needs MODULE_LICENSE 2011-07-25 20:57:16 -07:00
gpio Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
gpu Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
hid Merge branches 'roccat', 'upstream' and 'wiimote' into for-linus 2011-07-22 22:47:08 +02:00
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2011-07-25 14:10:34 -07:00
hwspinlock
i2c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
ide Merge branch 'master' into for-next 2011-07-11 14:15:55 +02:00
idle
ieee802154
infiniband Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband 2011-07-22 14:50:12 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
iommu iommu/amd: Don't use MSI address range for DMA addresses 2011-07-06 17:14:44 +02:00
isdn Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
leds arch/arm/mach-ux500/board-u5500.c: calibrate ALS input voltage 2011-07-25 20:57:15 -07:00
lguest lguest: Fix in/out emulation 2011-07-22 14:39:51 +09:30
macintosh drivers: fix up various ->llseek() implementations 2011-07-20 20:47:58 -04:00
mca
md Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2011-07-22 19:02:39 -07:00
media Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
memstick
message [SCSI] mptfusion : Added check for SILI bit in READ_6 CDB for DATA UNDERRUN ERRATA 2011-07-27 14:20:02 +04:00
mfd Merge branch 'master' into for-next 2011-07-11 14:15:55 +02:00
misc Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
mmc Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
mtd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
net Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
nfc NFC: pn533: add NXP pn533 nfc device driver 2011-07-05 15:26:58 -04:00
nubus
of of: fix missing include from of_pci.c 2011-07-23 23:53:55 -06:00
oprofile perf: Remove the nmi parameter from the oprofile_perf backend 2011-07-21 20:41:58 +02:00
parisc
parport
pci Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
pcmcia Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
platform asus-wmi: ->is_visible() can't return negative 2011-07-24 10:12:19 -04:00
pnp Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
power
pps
ps3
ptp
rapidio
regulator regulator: Convert tps65023 to use regmap API 2011-07-23 07:57:02 +01:00
rtc Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
s390 [S390] dasd: add enhanced DASD statistics interface 2011-07-24 10:48:23 +02:00
sbus
scsi [SCSI] pmcraid: reject negative request size 2011-07-27 17:26:21 +04:00
sfi
sh switch assorted clock drivers to debugfs_remove_recursive() 2011-07-20 20:47:51 -04:00
sn
spi Merge branch 'spi/next' of git://git.secretlab.ca/git/linux-2.6 2011-07-22 14:52:44 -07:00
ssb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
staging Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
target Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
tc
telephony
thermal
tty Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
uio
usb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-07-25 13:56:39 -07:00
uwb uwb: Fix misspelling of neighbourhood in comment 2011-07-21 14:03:41 +02:00
vhost vhost: handle wrap around in # of bufs math 2011-07-21 10:48:27 +03:00
video Merge 'akpm' patch series 2011-07-25 21:00:19 -07:00
virtio virtio: expose for non-virtualization users too 2011-07-23 16:20:30 +09:30
vlynq
w1 w1: ds1wm: add a reset recovery parameter 2011-07-08 21:14:44 -07:00
watchdog watchdog: hpwdt depends on PCI 2011-07-17 12:40:08 +00:00
xen xen/balloon: memory hotplug support for Xen balloon driver 2011-07-25 20:57:08 -07:00
zorro
Kconfig virtio: expose for non-virtualization users too 2011-07-23 16:20:30 +09:30
Makefile Merge branch 'core-iommu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2011-07-22 16:39:42 -07:00