aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/ide
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2006-10-16 11:31:02 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-10-16 11:27:54 -0400
commit3a42bb223f61fbd755d6e61b9b50b9681d68fcae (patch)
tree7c3a3f9839efbe70c4aa27b94b5f2a7b367cbcdc /drivers/ide
parent9d90dafdb1f0e3c2b69fa8d3fbe99649127c8fa4 (diff)
[PATCH] ide: add sanity checking to ide taskfile ioctl
Without this the user can feed in bogus values and get very bogus results. Security impact is minimal as this ioctl isn't available to unpriviledged processes anyway. Reported to the l/k list and found with an auditing tool. Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/ide')
-rw-r--r--drivers/ide/ide-taskfile.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/ide/ide-taskfile.c b/drivers/ide/ide-taskfile.c
index 1d0470c1f957..30175c7688e8 100644
--- a/drivers/ide/ide-taskfile.c
+++ b/drivers/ide/ide-taskfile.c
@@ -524,8 +524,8 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
524 task_ioreg_t *hobsptr = args.hobRegister; 524 task_ioreg_t *hobsptr = args.hobRegister;
525 int err = 0; 525 int err = 0;
526 int tasksize = sizeof(struct ide_task_request_s); 526 int tasksize = sizeof(struct ide_task_request_s);
527 int taskin = 0; 527 unsigned int taskin = 0;
528 int taskout = 0; 528 unsigned int taskout = 0;
529 u8 io_32bit = drive->io_32bit; 529 u8 io_32bit = drive->io_32bit;
530 char __user *buf = (char __user *)arg; 530 char __user *buf = (char __user *)arg;
531 531
@@ -538,8 +538,13 @@ int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
538 return -EFAULT; 538 return -EFAULT;
539 } 539 }
540 540
541 taskout = (int) req_task->out_size; 541 taskout = req_task->out_size;
542 taskin = (int) req_task->in_size; 542 taskin = req_task->in_size;
543
544 if (taskin > 65536 || taskout > 65536) {
545 err = -EINVAL;
546 goto abort;
547 }
543 548
544 if (taskout) { 549 if (taskout) {
545 int outtotal = tasksize; 550 int outtotal = tasksize;