Commit 4d02a2fc authored by Andrew Morton's avatar Andrew Morton Committed by James Bottomley

[PATCH] drivers/scsi/megaraid.c: user/kernel pointer bugs

From: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>

Since arg is a user pointer, so are uioc_mimd and uiocp, and hence umc is a
user pointer.  Thus reading umc->xferaddr requires dereferencing a user
pointer, which isn't safe.
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@SteelEye.com>
parent de743b7a
...@@ -3815,7 +3815,8 @@ mega_n_to_m(void *arg, megacmd_t *mc) ...@@ -3815,7 +3815,8 @@ mega_n_to_m(void *arg, megacmd_t *mc)
umc = MBOX_P(uiocp); umc = MBOX_P(uiocp);
upthru = (mega_passthru *)umc->xferaddr; if (get_user(upthru, (mega_passthru **)&umc->xferaddr))
return (-EFAULT);
if( put_user(mc->status, (u8 *)&upthru->scsistatus) ) if( put_user(mc->status, (u8 *)&upthru->scsistatus) )
return (-EFAULT); return (-EFAULT);
...@@ -3831,7 +3832,8 @@ mega_n_to_m(void *arg, megacmd_t *mc) ...@@ -3831,7 +3832,8 @@ mega_n_to_m(void *arg, megacmd_t *mc)
umc = (megacmd_t *)uioc_mimd->mbox; umc = (megacmd_t *)uioc_mimd->mbox;
upthru = (mega_passthru *)umc->xferaddr; if (get_user(upthru, (mega_passthru **)&umc->xferaddr))
return (-EFAULT);
if( put_user(mc->status, (u8 *)&upthru->scsistatus) ) if( put_user(mc->status, (u8 *)&upthru->scsistatus) )
return (-EFAULT); return (-EFAULT);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment