Commit f84afbdd authored Feb 25, 2020 by Dan Carpenter Committed by Dan Williams Feb 28, 2020

libnvdimm: Out of bounds read in __nd_ioctl()

The "cmd" comes from the user and it can be up to 255. It it's more
than the number of bits in long, it results out of bounds read when we
check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is
ND_CMD_CALL (10) so I added a compare against that.

Fixes: 62232e45 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain

Signed-off-by: Dan Williams <dan.j.williams@intel.com>

parent 01091c49

drivers/nvdimm/bus.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1042,7 +1042,9 @@ static int __nd_ioctl(struct nvdimm_bus nvdimm_bus, struct nvdimm nvdimm,
		return -EFAULT;
		}

		if (!desc \|\| (desc->out_num + desc->in_num == 0) \|\|
		if (!desc \|\|
		(desc->out_num + desc->in_num == 0) \|\|
		cmd > ND_CMD_CALL \|\|
		!test_bit(cmd, &cmd_mask))
		return -ENOTTY;