Without this the user can feed in bogus values and get very bogus
results. Security impact is minimal as this ioctl isn't available to
unpriviledged processes anyway.
Reported to the l/k list and found with an auditing tool.
Signed-off-by: Alan Cox <[email protected]>
diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.19-rc1-mm1/drivers/ide/ide-taskfile.c linux-2.6.19-rc1-mm1/drivers/ide/ide-taskfile.c
--- linux.vanilla-2.6.19-rc1-mm1/drivers/ide/ide-taskfile.c 2006-10-13 15:09:30.000000000 +0100
+++ linux-2.6.19-rc1-mm1/drivers/ide/ide-taskfile.c 2006-10-14 19:27:11.000000000 +0100
@@ -524,8 +524,8 @@
task_ioreg_t *hobsptr = args.hobRegister;
int err = 0;
int tasksize = sizeof(struct ide_task_request_s);
- int taskin = 0;
- int taskout = 0;
+ unsigned int taskin = 0;
+ unsigned int taskout = 0;
u8 io_32bit = drive->io_32bit;
char __user *buf = (char __user *)arg;
@@ -538,8 +538,13 @@
return -EFAULT;
}
- taskout = (int) req_task->out_size;
- taskin = (int) req_task->in_size;
+ taskout = req_task->out_size;
+ taskin = req_task->in_size;
+
+ if (taskin > 65536 || taskout > 65536) {
+ err = -EINVAL;
+ goto abort;
+ }
if (taskout) {
int outtotal = tasksize;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
