kernel-fxtec-pro1x/drivers/scsi
Dan Rosenberg b5b515445f [SCSI] pmcraid: reject negative request size
There's a code path in pmcraid that can be reached via device ioctl that
causes all sorts of ugliness, including heap corruption or triggering the
OOM killer due to consecutive allocation of large numbers of pages.

First, the user can call pmcraid_chr_ioctl(), with a type
PMCRAID_PASSTHROUGH_IOCTL.  This calls through to
pmcraid_ioctl_passthrough().  Next, a pmcraid_passthrough_ioctl_buffer
is copied in, and the request_size variable is set to
buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit
signed value provided by the user.  If a negative value is provided
here, bad things can happen.  For example,
pmcraid_build_passthrough_ioadls() is called with this request_size,
which immediately calls pmcraid_alloc_sglist() with a negative size.
The resulting math on allocating a scatter list can result in an
overflow in the kzalloc() call (if num_elem is 0, the sglist will be
smaller than expected), or if num_elem is unexpectedly large the
subsequent loop will call alloc_pages() repeatedly, a high number of
pages will be allocated and the OOM killer might be invoked.

It looks like preventing this value from being negative in
pmcraid_ioctl_passthrough() would be sufficient.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2011-07-27 17:26:21 +04:00
..
aacraid Merge branch 'trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6 2011-05-26 13:19:00 -07:00
aic7xxx treewide: fix a few typos in comments 2011-05-10 10:16:21 +02:00
aic7xxx_old Fix common misspellings 2011-03-31 11:26:23 -03:00
aic94xx [SCSI] aic94xx: world-writable sysfs update_bios file 2011-05-24 13:08:39 -04:00
arcmsr [SCSI] arcmsr: simplify assumptions in dma_alloc_coherent() 2011-05-01 16:32:23 -05:00
arm Fix common misspellings 2011-03-31 11:26:23 -03:00
be2iscsi [SCSI] iscsi_ibft, be2iscsi, iscsi_boot: fix boot kobj data lifetime management 2011-06-29 16:43:06 -05:00
bfa [SCSI] bfa: Update the driver version to 3.0.2.2 2011-07-27 14:59:02 +04:00
bnx2fc [SCSI] bnx2fc: Enable REC & CONF support for the session 2011-07-27 15:38:12 +04:00
bnx2i Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-07-23 11:13:11 -07:00
cxgbi Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-07-23 11:13:11 -07:00
device_handler [SCSI] dh_rdac: Use WWID from C8 page instead of Subsystem id from C4 page to identify storage 2011-07-27 14:29:44 +04:00
dpt Fix common misspellings 2011-03-31 11:26:23 -03:00
fcoe [SCSI] fcoe: Rearrange fcoe port and NPIV port cleanup 2011-06-29 16:33:25 -05:00
fnic [SCSI] fnic: fix incorrect use of SLAB_CACHE_DMA flag 2011-06-29 16:05:41 -05:00
ibmvscsi [SCSI] ibmvfc: Fix Virtual I/O failover hang 2011-06-29 12:08:39 -05:00
isci [SCSI] isci: fix checkpatch errors 2011-07-03 14:26:24 -05:00
libfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-07-23 11:13:11 -07:00
libsas [SCSI] libsas: remove expander from dev list on error 2011-07-27 15:50:58 +04:00
lpfc [SCSI] lpfc 8.3.25: Change driver version to 8.3.25 2011-07-27 15:17:10 +04:00
megaraid [SCSI] megaraid_sas Version to 5.40-rc1 and Changelog update 2011-07-27 15:45:22 +04:00
mpt2sas [SCSI] mpt2sas: WarpDrive Infinite command retries due to wrong scsi command entry in MPI message 2011-07-26 13:56:27 +04:00
mvsas [SCSI] mvsas: Add support for interrupt tasklet 2011-07-26 12:59:55 +04:00
osd [SCSI] libosd: osd_req_read_sg, optimize the single entry case 2011-01-24 12:06:31 -06:00
pcmcia Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6 2011-05-24 13:28:35 -07:00
pm8001 Merge branch 'master' into for-next 2011-04-26 10:22:59 +02:00
qla2xxx [SCSI] qla2xxx: Cleanup of previous infrastructure. 2011-07-27 14:16:34 +04:00
qla4xxx Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-05-27 19:52:57 -07:00
sym53c8xx_2 Fix common misspellings 2011-03-31 11:26:23 -03:00
.gitignore
3w-9xxx.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
3w-9xxx.h Fix common misspellings 2011-03-31 11:26:23 -03:00
3w-sas.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
3w-sas.h
3w-xxxx.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
3w-xxxx.h Fix common misspellings 2011-03-31 11:26:23 -03:00
53c700.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
53c700.h
53c700.scr Fix common misspellings 2011-03-31 11:26:23 -03:00
53c700_d.h_shipped Fix common misspellings 2011-03-31 11:26:23 -03:00
a100u2w.c Merge branch 'master' into for-next 2010-12-22 18:57:02 +01:00
a100u2w.h
a2091.c m68k/scsi: a2091 - Do not use legacy Scsi_Host.base 2010-05-26 19:51:08 +02:00
a2091.h m68k/scsi: a2091 - Kill a2091_scsiregs typedef 2010-05-26 19:51:07 +02:00
a3000.c m68k/scsi: a3000 - Do not use legacy Scsi_Host.base 2010-05-26 19:51:08 +02:00
a3000.h m68k/scsi: a3000 - Kill a3000_scsiregs typedef 2010-05-26 19:51:07 +02:00
a4000t.c m68k: amiga - A4000T SCSI platform device conversion 2010-05-26 19:51:09 +02:00
advansys.c Fix common misspellings 2011-03-31 11:26:23 -03:00
aha152x.c [SCSI] aha152x: add missing ISA PNP IDs 2011-06-29 15:09:11 -05:00
aha152x.h
aha1542.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
aha1542.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
aha1740.c Fix common misspellings 2011-03-31 11:26:23 -03:00
aha1740.h
aic7xxx_old.c Fix common misspellings 2011-03-31 11:26:23 -03:00
atari_NCR5380.c [SCSI] atari_NCR5380: Provide a dummy NCR5380_exit() 2011-06-29 15:11:21 -05:00
atari_scsi.c [SCSI] atari_NCR5380: Provide a dummy NCR5380_exit() 2011-06-29 15:11:21 -05:00
atari_scsi.h
atp870u.c Fix common misspellings 2011-03-31 11:26:23 -03:00
atp870u.h
BusLogic.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
BusLogic.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
bvme6000_scsi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ch.c Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:56 -07:00
constants.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-05-23 09:12:26 -07:00
dc395x.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
dc395x.h Fix common misspellings 2011-03-31 11:26:23 -03:00
dmx3191d.c
dpt_i2o.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
dpti.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
dtc.c
dtc.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
eata.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
eata_generic.h
eata_pio.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
eata_pio.h
esp_scsi.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-05-23 09:12:26 -07:00
esp_scsi.h
fd_mcs.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
fdomain.c Fix common misspellings 2011-03-31 11:26:23 -03:00
fdomain.h
FlashPoint.c Fix common misspellings 2011-03-31 11:26:23 -03:00
g_NCR5380.c Fix common misspellings 2011-03-31 11:26:23 -03:00
g_NCR5380.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
g_NCR5380_mmio.c
gdth.c [SCSI] gdth: Add missing call to gdth_ioctl_free 2010-12-31 09:50:09 -06:00
gdth.h Fix common misspellings 2011-03-31 11:26:23 -03:00
gdth_ioctl.h [SCSI] gdth: Convert to use regular kernel types. 2010-01-18 10:48:16 -06:00
gdth_proc.c [SCSI] gdth: Add missing call to gdth_ioctl_free 2010-12-31 09:50:09 -06:00
gdth_proc.h [SCSI] gdth: Convert to use regular kernel types. 2010-01-18 10:48:16 -06:00
gvp11.c Fix common misspellings 2011-03-31 11:26:23 -03:00
gvp11.h m68k: amiga - GVP Series II SCSI zorro_driver conversion 2010-05-26 19:51:08 +02:00
hosts.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6 2010-10-22 19:36:42 -07:00
hpsa.c [SCSI] hpsa: retry commands completing with status of UNSOLICITED_ABORT 2011-07-27 15:35:49 +04:00
hpsa.h [SCSI] hpsa: do not attempt to read from a write-only register 2011-07-27 15:18:26 +04:00
hpsa_cmd.h [SCSI] hpsa: use new doorbell-bit-5 reset method 2011-05-17 11:07:01 +04:00
hptiop.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
hptiop.h
ibmmca.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
imm.c Fix common misspellings 2011-03-31 11:26:23 -03:00
imm.h
in2000.c Merge branch 'trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6 2011-05-26 13:19:00 -07:00
in2000.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
initio.c Fix common misspellings 2011-03-31 11:26:23 -03:00
initio.h Fix common misspellings 2011-03-31 11:26:23 -03:00
ipr.c [SCSI] ipr: fix possible false positive detection of stuck interrupt 2011-05-24 12:37:50 -04:00
ipr.h [SCSI] ipr: Driver version 2.5.2 2011-05-01 12:10:34 -05:00
ips.c Fix common misspellings 2011-03-31 11:26:23 -03:00
ips.h Fix common misspellings 2011-03-31 11:26:23 -03:00
iscsi_boot_sysfs.c [SCSI] iscsi_ibft, be2iscsi, iscsi_boot: fix boot kobj data lifetime management 2011-06-29 16:43:06 -05:00
iscsi_tcp.c [SCSI] iscsi_tcp: fix locking around iscsi sk user data 2011-06-29 16:43:08 -05:00
iscsi_tcp.h [SCSI] iscsi_tcp: use iscsi_conn_get_addr_param libiscsi function 2011-02-24 12:41:10 -05:00
jazz_esp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig isci: remove compile-time (Kconfig) silicon configuration 2011-07-03 04:04:45 -07:00
lasi700.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
libiscsi.c [SCSI] iscsi: Use struct scsi_lun in iscsi structs instead of u8[8] 2011-06-29 16:22:13 -05:00
libiscsi_tcp.c [SCSI] libiscsi_tcp: fix LLD data allocation 2011-06-29 16:43:10 -05:00
libsrp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mac53c94.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
mac53c94.h
mac_esp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mac_scsi.c [SCSI] mac_scsi: Remove unused variable default_instance 2011-06-29 15:12:43 -05:00
mac_scsi.h
Makefile isci: Intel(R) C600 Series Chipset Storage Control Unit Driver 2011-07-02 22:56:22 -07:00
megaraid.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
megaraid.h Fix common misspellings 2011-03-31 11:26:23 -03:00
mesh.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
mesh.h
mvme16x_scsi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mvme147.c m68k/scsi: mvme147 - Kill obsolete HOSTS_C logic 2010-05-26 19:51:07 +02:00
mvme147.h [SCSI] mvme147: Reindentation 2010-05-02 15:55:03 -04:00
ncr53c8xx.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
ncr53c8xx.h
NCR53c406a.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
NCR5380.c Fix common misspellings 2011-03-31 11:26:23 -03:00
NCR5380.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
NCR_D700.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
NCR_D700.h
NCR_Q720.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
NCR_Q720.h
nsp32.c Fix common misspellings 2011-03-31 11:26:23 -03:00
nsp32.h Fix common misspellings 2011-03-31 11:26:23 -03:00
nsp32_debug.c treewide: fix a few typos in comments 2011-05-10 10:16:21 +02:00
nsp32_io.h
osst.c [SCSI] osst: fix warning 2011-05-24 13:09:41 -04:00
osst.h Fix common misspellings 2011-03-31 11:26:23 -03:00
osst_detect.h
osst_options.h
pas16.c
pas16.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
pmcraid.c [SCSI] pmcraid: reject negative request size 2011-07-27 17:26:21 +04:00
pmcraid.h Merge branch 'trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6 2011-05-26 13:19:00 -07:00
ppa.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
ppa.h
ps3rom.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
qla1280.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
qla1280.h
qlogicfas.c
qlogicfas408.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
qlogicfas408.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
qlogicpti.c drivercore: revert addition of of_match to struct device 2011-05-18 12:32:23 -06:00
qlogicpti.h of/device: Replace struct of_device with struct platform_device 2010-08-06 09:25:50 -06:00
raid_class.c [SCSI] raid_attrs: fix dependency problems 2010-03-03 21:17:06 +05:30
script_asm.pl
scsi.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
scsi.h
scsi_debug.c Fix common misspellings 2011-03-31 11:26:23 -03:00
scsi_devinfo.c [SCSI] Blacklist Traxdata CDR4120 and IOMEGA Zip drive to avoid lock ups. 2011-06-29 15:08:47 -05:00
scsi_error.c [SCSI] Reduce error recovery time by reducing use of TURs 2011-05-24 12:51:53 -04:00
scsi_ioctl.c
scsi_lib.c [SCSI] scsi_lib: pause between error retries 2011-07-27 14:06:01 +04:00
scsi_lib_dma.c
scsi_logging.h
scsi_module.c
scsi_netlink.c Fix common misspellings 2011-03-31 11:26:23 -03:00
scsi_pm.c PM / Runtime: Return special error code if runtime PM is disabled 2011-07-02 14:30:10 +02:00
scsi_priv.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-03-17 17:54:40 -07:00
scsi_proc.c scsi: fix scsi_proc new kernel-doc warning 2011-05-28 23:12:11 -07:00
scsi_sas_internal.h [SCSI] scsi_transport_sas: add support for transport layer retries (TLR) 2010-02-08 17:15:19 -06:00
scsi_scan.c [SCSI] Fix oops caused by queue refcounting failure 2011-06-02 18:34:43 +09:00
scsi_sysctl.c
scsi_sysfs.c [SCSI] Fix oops caused by queue refcounting failure 2011-06-02 18:34:43 +09:00
scsi_tgt_if.c Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:56 -07:00
scsi_tgt_lib.c [SCSI] esp, scsi_tgt_lib, fcoe: use list_move() instead of list_del()/list_add() combination 2011-05-01 10:20:10 -05:00
scsi_tgt_priv.h
scsi_trace.c [SCSI] scsi_trace: Decode UNMAP bit in WRITE SAME(10) 2011-05-24 12:38:36 -04:00
scsi_transport_api.h
scsi_transport_fc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-05-20 13:29:52 -07:00
scsi_transport_fc_internal.h
scsi_transport_iscsi.c [SCSI] scsi_transport_iscsi: make priv_sess file writeable only by root 2011-03-23 11:35:58 -05:00
scsi_transport_sas.c block: remove per-queue plugging 2011-03-10 08:52:07 +01:00
scsi_transport_spi.c [SCSI] scsi_transport_spi: Export host width and HBA id 2011-07-26 13:53:50 +04:00
scsi_transport_srp.c
scsi_transport_srp_internal.h
scsi_typedefs.h
scsi_wait_scan.c
scsicam.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sd.c [SCSI] Retrieve the Caching mode page (version 2) 2011-05-24 12:43:52 -04:00
sd.h [SCSI] sd: Logical Block Provisioning update 2011-03-14 18:37:34 -05:00
sd_dif.c block: Make the integrity mapped property a bio flag 2010-10-15 15:49:20 +02:00
ses.c [SCSI] ses: requesting a fault indication 2011-06-29 12:14:25 -05:00
sg.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-10-24 13:41:39 -07:00
sgiwd93.c update David Miller's old email address 2011-04-06 06:19:38 -07:00
sim710.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sni_53c710.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sr.c [SCSI] sr: check_events() ignore GET_EVENT when TUR says otherwise 2011-07-21 14:15:58 -07:00
sr.h [SCSI] sr: check_events() ignore GET_EVENT when TUR says otherwise 2011-07-21 14:15:58 -07:00
sr_ioctl.c scsi: replace sr_test_unit_ready() with scsi_test_unit_ready() 2010-12-16 17:53:39 +01:00
sr_vendor.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
st.c [SCSI] st: Increase success probability in driver buffer allocation 2010-12-22 23:26:50 -06:00
st.h [SCSI] st: fix mdata->page_order handling 2009-12-10 08:54:13 -06:00
st_options.h
stex.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
sun3_NCR5380.c [SCSI] sun3: Remove commented out merge_contiguous_buffers 2011-06-29 15:15:05 -05:00
sun3_scsi.c [SCSI] sun3: Add various missing NDEBUG* definitions 2011-06-29 15:14:54 -05:00
sun3_scsi.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
sun3_scsi_vme.c [SCSI] sun3: Add various missing NDEBUG* definitions 2011-06-29 15:14:54 -05:00
sun3x_esp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sun_esp.c dt/sparc: Eliminate users of of_platform_{,un}register_driver 2011-02-28 01:36:39 -07:00
sym53c416.c Fix common misspellings 2011-03-31 11:26:23 -03:00
sym53c416.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
t128.c
t128.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
tmscsim.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
tmscsim.h
u14-34f.c [SCSI] remove cmd->serial_number litter 2011-05-01 10:22:40 -05:00
ultrastor.c [SCSI] Fix Ultrastor asm snippet 2011-05-24 13:25:35 -04:00
ultrastor.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
vmw_pvscsi.c SCSI host lock push-down 2010-11-16 13:33:23 -08:00
vmw_pvscsi.h
wd33c93.c Merge branch 'trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6 2011-05-26 13:19:00 -07:00
wd33c93.h SCSI host lock push-down 2010-11-16 13:33:23 -08:00
wd7000.c Fix common misspellings 2011-03-31 11:26:23 -03:00
zalon.c
zorro7xx.c m68k: amiga - Zorro bus modalias support 2010-05-17 21:37:41 +02:00