Dan, > The value of "size" comes from the user. When we add "start + size" > it could lead to an integer overflow bug. > > It means we vmalloc() a lot more memory than we had intended. I > believe that on 64 bit systems vmalloc() can succeed even if we ask it > to allocate huge 4GB buffers. So we would get memory corruption and > likely a crash when we call ha->isp_ops->write_optrom() and > ->read_optrom().
Applied to 4.13/scsi-fixes. Thank you! -- Martin K. Petersen Oracle Linux Engineering
