From: Dave Jones <davej@redhat.com>
Date: Mon, 19 Oct 2009 23:55:13 +0000 (-0400)
Subject: gdth: Prevent negative offsets in ioctl CVE-2009-3080
X-Git-Tag: v2.6.27.40~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=664179bfb83f35f3f9a09a8b2323666882244d35;p=thirdparty%2Fkernel%2Fstable.git

gdth: Prevent negative offsets in ioctl CVE-2009-3080

commit 690e744869f3262855b83b4fb59199cf142765b0 upstream.

A negative offset could be used to index before the event buffer and
lead to a security breach.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 822d5214692bf..4015499dad2ab 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -2912,7 +2912,7 @@ static int gdth_read_event(gdth_ha_str *ha, int handle, gdth_evt_str *estr)
         eindex = handle;
     estr->event_source = 0;
 
-    if (eindex >= MAX_EVENTS) {
+    if (eindex < 0 || eindex >= MAX_EVENTS) {
         spin_unlock_irqrestore(&ha->smp_lock, flags);
         return eindex;
     }