Commit 3a42bb22 authored by Alan Cox's avatar Alan Cox Committed by Linus Torvalds

[PATCH] ide: add sanity checking to ide taskfile ioctl

Without this the user can feed in bogus values and get very bogus
results. Security impact is minimal as this ioctl isn't available to
unpriviledged processes anyway.

Reported to the l/k list and found with an auditing tool.
Signed-off-by: default avatarAlan Cox <alan@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 9d90dafd
...@@ -524,8 +524,8 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg) ...@@ -524,8 +524,8 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
task_ioreg_t *hobsptr = args.hobRegister; task_ioreg_t *hobsptr = args.hobRegister;
int err = 0; int err = 0;
int tasksize = sizeof(struct ide_task_request_s); int tasksize = sizeof(struct ide_task_request_s);
int taskin = 0; unsigned int taskin = 0;
int taskout = 0; unsigned int taskout = 0;
u8 io_32bit = drive->io_32bit; u8 io_32bit = drive->io_32bit;
char __user *buf = (char __user *)arg; char __user *buf = (char __user *)arg;
...@@ -538,8 +538,13 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg) ...@@ -538,8 +538,13 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
return -EFAULT; return -EFAULT;
} }
taskout = (int) req_task->out_size; taskout = req_task->out_size;
taskin = (int) req_task->in_size; taskin = req_task->in_size;
if (taskin > 65536 || taskout > 65536) {
err = -EINVAL;
goto abort;
}
if (taskout) { if (taskout) {
int outtotal = tasksize; int outtotal = tasksize;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment