[PATCH] drivers/staging/bcm: Integer overflow
The checking condition in 'validateFlash2xReadWrite()' is not sufficient.
A large number invalid would cause an integer overflow and pass
the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan
---
drivers/staging/bcm/nvm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/bcm/nvm.c b/drivers/staging/bcm/nvm.c
index 9e5f955..0615609 100644
--- a/drivers/staging/bcm/nvm.c
+++ b/drivers/staging/bcm/nvm.c
@@ -3945,7 +3945,9 @@ int validateFlash2xReadWrite(struct bcm_mini_adapter
*Adapter, struct bcm_flash2
BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, NVM_RW, DBG_LVL_ALL, "End
offset :%x\n", uiSectEndOffset);
/* Checking the boundary condition */
- if ((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <=
uiSectEndOffset)
+ if (((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <=
uiSectEndOffset)
+ && (uiSectStartOffset + psFlash2xReadWrite->offset >
uiSectStartOffset)
+ && (uiSectStartOffset + psFlash2xReadWrite->offset +
uiNumBytes > uiNumBytes))
return TRUE;
else {
BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid
Request");
--
1.8.5.rc1.28.g7061504
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] drivers/staging/bcm: Integer overflow
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan --- drivers/staging/bcm/nvm.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/staging/bcm/nvm.c b/drivers/staging/bcm/nvm.c index 9e5f955..7f3dd4b 100644 --- a/drivers/staging/bcm/nvm.c +++ b/drivers/staging/bcm/nvm.c @@ -3944,6 +3944,11 @@ int validateFlash2xReadWrite(struct bcm_mini_adapter *Adapter, struct bcm_flash2 BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, NVM_RW, DBG_LVL_ALL, "End offset :%x\n", uiSectEndOffset); + /* psFlash2xReadWrite->offset and uiNumOfBytes are user controlled and can lead to integer overflows */ + if (uiSectStartOffset + psFlash2xReadWrite->offset < uiSectStartOffset) + return false; + if (uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes < uiNumOfBytes) + return false; /* Checking the boundary condition */ if ((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <= uiSectEndOffset) return TRUE; -- 1.8.5.rc1.28.g7061504 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] drivers/staging/bcm: Integer overflow
The checking condition in 'validateFlash2xReadWrite()' is not
sufficient. A large number invalid would cause an integer overflow and
pass the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan
---
drivers/staging/bcm/nvm.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/drivers/staging/bcm/nvm.c b/drivers/staging/bcm/nvm.c
index 9e5f955..3165da8 100644
--- a/drivers/staging/bcm/nvm.c
+++ b/drivers/staging/bcm/nvm.c
@@ -3944,6 +3944,15 @@ int validateFlash2xReadWrite(struct bcm_mini_adapter
*Adapter, struct bcm_flash2
BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, NVM_RW, DBG_LVL_ALL, "End
offset :%x\n", uiSectEndOffset);
+ /* psFlash2xReadWrite->offset and uiNumOfBytes are user controlled and
can lead to integer overflows */
+ if (psFlash2xReadWrite->offset > uiSectEndOffset) {
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid
Request");
+ return false;
+ }
+ if (uiNumOfBytes > uiSectEndOffset) {
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid
Request");
+ return false;
+ }
/* Checking the boundary condition */
if ((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <=
uiSectEndOffset)
return TRUE;
--
1.8.5.rc1.28.g7061504
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
