提交 6d91d578 编写于 作者: D Dan Carpenter 提交者: Caspar Zhang

libnvdimm: Out of bounds read in __nd_ioctl()

fix #29902604

commit f84afbdd3a9e5e10633695677b95422572f920dc upstream

The "cmd" comes from the user and it can be up to 255.  It it's more
than the number of bits in long, it results out of bounds read when we
check test_bit(cmd, &cmd_mask).  The highest valid value for "cmd" is
ND_CMD_CALL (10) so I added a compare against that.

Fixes: 62232e45 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices")
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: NArtie Ding <artie.ding@linux.alibaba.com>
上级 b2250b44
...@@ -1005,7 +1005,9 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, ...@@ -1005,7 +1005,9 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
return -EFAULT; return -EFAULT;
} }
if (!desc || (desc->out_num + desc->in_num == 0) || if (!desc ||
(desc->out_num + desc->in_num == 0) ||
cmd > ND_CMD_CALL ||
!test_bit(cmd, &cmd_mask)) !test_bit(cmd, &cmd_mask))
return -ENOTTY; return -ENOTTY;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册