drivers/staging/bcm: Integer overflow

The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/bcm: Integer overflow
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1b1290e5 · Wenliang Fan · Greg Kroah-Hartman · 01b6442b · 1b1290e5
Commit 1b1290e5 authored Dec 20, 2013 by Wenliang Fan Committed by Greg Kroah-Hartman Dec 20, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

drivers/staging/bcm/nvm.c drivers/staging/bcm/nvm.c +9 -0

No files found.
--- a/drivers/staging/bcm/nvm.c
+++ b/drivers/staging/bcm/nvm.c
@@ -3944,6 +3944,15 @@ int validateFlash2xReadWrite(struct bcm_mini_adapter *Adapter, struct bcm_flash2

 	BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, NVM_RW, DBG_LVL_ALL, "End offset :%x\n", uiSectEndOffset);

+	/* psFlash2xReadWrite->offset and uiNumOfBytes are user controlled and can lead to integer overflows */
+	if (psFlash2xReadWrite->offset > uiSectEndOffset) {
+		BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid Request....");
+		return false;
+	}
+	if (uiNumOfBytes > uiSectEndOffset) {
+		BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid Request....");
+		return false;
+	}
 	/* Checking the boundary condition */
 	if ((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <= uiSectEndOffset)
 		return TRUE;