[04/20] [SCSI] gdth: Prevent negative offsets in ioctl CVE-2009-3080

[Greg KH]

2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Dave Jones <davej@xxxxxxxxxx>

commit 690e744869f3262855b83b4fb59199cf142765b0 upstream.

A negative offset could be used to index before the event buffer and
lead to a security breach.

Signed-off-by: Dave Jones <davej@xxxxxxxxxx>
Signed-off-by: James Bottomley <James.Bottomley@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 drivers/scsi/gdth.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -2912,7 +2912,7 @@ static int gdth_read_event(gdth_ha_str *
         eindex = handle;
     estr->event_source = 0;
 
-    if (eindex >= MAX_EVENTS) {
+    if (eindex < 0 || eindex >= MAX_EVENTS) {
         spin_unlock_irqrestore(&ha->smp_lock, flags);
         return eindex;
     }


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/