Comment 1 for bug 711797

Andy Whitcroft (apw) wrote :

Upstream commit as below:

  commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4
  Author: Dan Carpenter <email address hidden>
  Date: Fri Oct 8 09:03:07 2010 +0200

    [SCSI] gdth: integer overflow in ioctl

    gdth_ioctl_alloc() takes the size variable as an int.
    copy_from_user() takes the size variable as an unsigned long.
    gen.data_len and gen.sense_len are unsigned longs.
    On x86_64 longs are 64 bit and ints are 32 bit.

    We could pass in a very large number and the allocation would truncate
    the size to 32 bits and allocate a small buffer. Then when we do the
    copy_from_user(), it would result in a memory corruption.

    CC: <email address hidden>
    Signed-off-by: Dan Carpenter <email address hidden>
    Signed-off-by: James Bottomley <email address hidden>