From: Dan Carpenter <error27@gmail.com>
Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200)
Subject: [SCSI] gdth: integer overflow in ioctl
X-Git-Tag: v2.6.37-rc1~6^2~48
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4;p=pandora-kernel.git

[SCSI] gdth: integer overflow in ioctl

gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---

Reading git-diff-tree failed