summaryrefslogtreecommitdiffstats
path: root/drivers/ide/ide-taskfile.c
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2006-10-16 16:31:02 +0100
committerLinus Torvalds <torvalds@g5.osdl.org>2006-10-16 08:27:54 -0700
commit3a42bb223f61fbd755d6e61b9b50b9681d68fcae (patch)
tree7c3a3f9839efbe70c4aa27b94b5f2a7b367cbcdc /drivers/ide/ide-taskfile.c
parent9d90dafdb1f0e3c2b69fa8d3fbe99649127c8fa4 (diff)
downloadop-kernel-dev-3a42bb223f61fbd755d6e61b9b50b9681d68fcae.zip
op-kernel-dev-3a42bb223f61fbd755d6e61b9b50b9681d68fcae.tar.gz
[PATCH] ide: add sanity checking to ide taskfile ioctl
Without this the user can feed in bogus values and get very bogus results. Security impact is minimal as this ioctl isn't available to unpriviledged processes anyway. Reported to the l/k list and found with an auditing tool. Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/ide/ide-taskfile.c')
-rw-r--r--drivers/ide/ide-taskfile.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/ide/ide-taskfile.c b/drivers/ide/ide-taskfile.c
index 1d0470c..30175c7 100644
--- a/drivers/ide/ide-taskfile.c
+++ b/drivers/ide/ide-taskfile.c
@@ -524,8 +524,8 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
task_ioreg_t *hobsptr = args.hobRegister;
int err = 0;
int tasksize = sizeof(struct ide_task_request_s);
- int taskin = 0;
- int taskout = 0;
+ unsigned int taskin = 0;
+ unsigned int taskout = 0;
u8 io_32bit = drive->io_32bit;
char __user *buf = (char __user *)arg;
@@ -538,8 +538,13 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
return -EFAULT;
}
- taskout = (int) req_task->out_size;
- taskin = (int) req_task->in_size;
+ taskout = req_task->out_size;
+ taskin = req_task->in_size;
+
+ if (taskin > 65536 || taskout > 65536) {
+ err = -EINVAL;
+ goto abort;
+ }
if (taskout) {
int outtotal = tasksize;
OpenPOWER on IntegriCloud