--- /dev/null
+From foo@baz Sat Apr 14 16:04:49 CEST 2018
+From: Rob Gardner <rob.gardner@oracle.com>
+Date: Sat, 31 Mar 2018 22:53:01 -0600
+Subject: [PATCH] sparc64: Properly range check DAX completion index
+
+From: Rob Gardner <rob.gardner@oracle.com>
+
+
+[ Upstream commit 49d7006d9f01d435661d03bbea3db4c33935b3d8 ]
+
+Each Oracle DAX CCB has a corresponding completion area, and the required
+number of areas must fit within a previously allocated array of completion
+areas beginning at the requested index. Since the completion area index
+is specified by a file offset, a user can pass arbitrary values, including
+negative numbers. So the index must be thoroughly range checked to prevent
+access to addresses outside the bounds of the allocated completion
+area array. The index cannot be negative, and it cannot exceed the
+total array size, less the number of CCBs requested. The old code did
+not check for negative values and was off by one on the upper bound.
+
+Signed-off-by: Rob Gardner <rob.gardner@oracle.com>
+Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com>
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/sbus/char/oradax.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/sbus/char/oradax.c
++++ b/drivers/sbus/char/oradax.c
+@@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *
+ dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx);
+
+ /* for given index and length, verify ca_buf range exists */
+- if (idx + nccbs >= DAX_CA_ELEMS) {
++ if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) {
+ ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL;
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
