ipmi: ssif_bmc: prevent integer overflow on 32bit systems
There are actually two bugs here. First, we need to ensure that count is at least sizeof(u32) or msg.len will be uninitialized data. The "msg.len" variable is a u32 that comes from the user. On 32bit systems the "sizeof_field(struct ipmi_ssif_msg, len) + msg.len" addition can overflow if "msg.len" is greater than U32_MAX - 4. Valid lengths for "msg.len" are 1-254. Add a check for that to prevent the integer overflow. Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Message-Id: <1431ca2e-4e9c-4520-bfc0-6879313c30e9@moroto.mountain> Signed-off-by: Corey Minyard <corey@minyard.net>
This commit is contained in:
parent
0cac73eb38
commit
0627cef361
@ -177,13 +177,15 @@ static ssize_t ssif_bmc_write(struct file *file, const char __user *buf, size_t
|
|||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
ssize_t ret;
|
ssize_t ret;
|
||||||
|
|
||||||
if (count > sizeof(struct ipmi_ssif_msg))
|
if (count < sizeof(msg.len) ||
|
||||||
|
count > sizeof(struct ipmi_ssif_msg))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
if (copy_from_user(&msg, buf, count))
|
if (copy_from_user(&msg, buf, count))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
if (!msg.len || count < sizeof_field(struct ipmi_ssif_msg, len) + msg.len)
|
if (!msg.len || msg.len > IPMI_SSIF_PAYLOAD_MAX ||
|
||||||
|
count < sizeof_field(struct ipmi_ssif_msg, len) + msg.len)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
spin_lock_irqsave(&ssif_bmc->lock, flags);
|
spin_lock_irqsave(&ssif_bmc->lock, flags);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user