mptfusion: prevent some memory corruption

These are signed values the come from the user, we put a cap on the
upper bounds but not on the lower bounds.

We use "karg.dataSgeOffset" to calculate "sz".  We verify "sz" and
proceed as if that means that "karg.dataSgeOffset" is correct but this
fails to consider that the "sz" calculations can have integer overflows.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>

diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
index 70bb7530b22ccb5ccc66e6abd7559e3f6f47944a..fc73937290812df292d9654ed43ec19f40497edf 100644 (file)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
        }
        spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
 
+       /* Basic sanity checks to prevent underflows or integer overflows */
+       if (karg.maxReplyBytes < 0 ||
+           karg.dataInSize < 0 ||
+           karg.dataOutSize < 0 ||
+           karg.dataSgeOffset < 0 ||
+           karg.maxSenseBytes < 0 ||
+           karg.dataSgeOffset > ioc->req_sz / 4)
+               return -EINVAL;
+
        /* Verify that the final request frame will not be too large.
         */
        sz = karg.dataSgeOffset * 4;