[PATCH] ide: add sanity checking to ide taskfile ioctl

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Without this the user can feed in bogus values and get very bogus
results. Security impact is minimal as this ioctl isn't available to
unpriviledged processes anyway.

Reported to the l/k list and found with an auditing tool.

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

Alan Cox and committed by

Linus Torvalds 19 years ago 3a42bb22 9d90dafd

+9 -4

1 changed file

expand all

drivers

ide

ide-taskfile.c

+9 -4

drivers/ide/ide-taskfile.c

··· 524 524 task_ioreg_t *hobsptr = args.hobRegister; 525 525 int err = 0; 526 526 int tasksize = sizeof(struct ide_task_request_s); 527 - int taskin = 0; 528 - int taskout = 0; 527 + unsigned int taskin = 0; 528 + unsigned int taskout = 0; 529 529 u8 io_32bit = drive->io_32bit; 530 530 char __user *buf = (char __user *)arg; 531 531 ··· 538 538 return -EFAULT; 539 539 } 540 540 541 - taskout = (int) req_task->out_size; 542 - taskin = (int) req_task->in_size; 541 + taskout = req_task->out_size; 542 + taskin = req_task->in_size; 543 + 544 + if (taskin > 65536 || taskout > 65536) { 545 + err = -EINVAL; 546 + goto abort; 547 + } 543 548 544 549 if (taskout) { 545 550 int outtotal = tasksize;