[thirdparty/kernel/stable-queue.git] / releases / 2.6.22.14 / hptiop-avoid-buffer-overflow-when-returning-sense-data.patch

From stable-bounces@linux.kernel.org Tue Oct 16 15:28:18 2007
From: HighPoint Linux Team <linux@highpoint-tech.com>
Date: Tue, 16 Oct 2007 14:28:24 -0700
Subject: hptiop: avoid buffer overflow when returning sense data
To: James.Bottomley@steeleye.com
Cc: akpm@linux-foundation.org, linux@highpoint-tech.com, stable@kernel.org, linux-scsi@vger.kernel.org
Message-ID: <200710162128.l9GLSORo018187@imap1.linux-foundation.org>


From: HighPoint Linux Team <linux@highpoint-tech.com>

patch 0fec02c93f60fb44ba3a24a0d3e4a52521d34d3f in mainline.

avoid buffer overflow when returning sense data.

With current adapter firmware the driver is working but future firmware
updates may return sense data larger than 96 bytes, causing overflow on
scp->sense_buffer and a kernel crash.

This fix should be backported to earlier kernels.

Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com>
Signed-off-by: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Matthew Wilcox <willy@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/scsi/hptiop.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/hptiop.c
+++ b/drivers/scsi/hptiop.c
@@ -377,8 +377,9 @@ static void hptiop_host_request_callback
 		scp->result = SAM_STAT_CHECK_CONDITION;
 		memset(&scp->sense_buffer,
 				0, sizeof(scp->sense_buffer));
-		memcpy(&scp->sense_buffer,
-			&req->sg_list, le32_to_cpu(req->dataxfer_length));
+		memcpy(&scp->sense_buffer, &req->sg_list,
+				min(sizeof(scp->sense_buffer),
+					le32_to_cpu(req->dataxfer_length)));
 		break;
 
 	default:
Commit	Line	Data
12fbf0f8 GKH	1	From stable-bounces@linux.kernel.org Tue Oct 16 15:28:18 2007
	2	From: HighPoint Linux Team <linux@highpoint-tech.com>
	3	Date: Tue, 16 Oct 2007 14:28:24 -0700
	4	Subject: hptiop: avoid buffer overflow when returning sense data
	5	To: James.Bottomley@steeleye.com
	6	Cc: akpm@linux-foundation.org, linux@highpoint-tech.com, stable@kernel.org, linux-scsi@vger.kernel.org
	7	Message-ID: <200710162128.l9GLSORo018187@imap1.linux-foundation.org>
	8
	9
	10	From: HighPoint Linux Team <linux@highpoint-tech.com>
	11
	12	patch 0fec02c93f60fb44ba3a24a0d3e4a52521d34d3f in mainline.
	13
	14	avoid buffer overflow when returning sense data.
	15
	16	With current adapter firmware the driver is working but future firmware
	17	updates may return sense data larger than 96 bytes, causing overflow on
	18	scp->sense_buffer and a kernel crash.
	19
	20	This fix should be backported to earlier kernels.
	21
	22	Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com>
	23	Signed-off-by: James Bottomley <James.Bottomley@steeleye.com>
	24	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
02a6e516	25	Acked-by: Matthew Wilcox <willy@linux.intel.com>
12fbf0f8 GKH	26	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	27
	28	---
	29	drivers/scsi/hptiop.c \| 5 +++--
	30	1 file changed, 3 insertions(+), 2 deletions(-)
	31
	32	--- a/drivers/scsi/hptiop.c
	33	+++ b/drivers/scsi/hptiop.c
	34	@@ -377,8 +377,9 @@ static void hptiop_host_request_callback
	35	scp->result = SAM_STAT_CHECK_CONDITION;
	36	memset(&scp->sense_buffer,
	37	0, sizeof(scp->sense_buffer));
	38	- memcpy(&scp->sense_buffer,
	39	- &req->sg_list, le32_to_cpu(req->dataxfer_length));
	40	+ memcpy(&scp->sense_buffer, &req->sg_list,
	41	+ min(sizeof(scp->sense_buffer),
	42	+ le32_to_cpu(req->dataxfer_length)));
	43	break;
	44
	45	default: