From 985d08fe52fda556fc631e7e40c5c2b0704a9d02 Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Mon, 25 Nov 2019 21:21:37 +0000 Subject: [PATCH] cfi: check for inter overflow in cfi_devioctl Reported by: Pietro Oliva Reviewed by: markj MFC after: 3 days Security: Possible OOB read in root-only ioctl Sponsored by: The FreeBSD Foundation --- sys/dev/cfi/cfi_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/cfi/cfi_dev.c b/sys/dev/cfi/cfi_dev.c index 1c812a49cb3..24408cf3358 100644 --- a/sys/dev/cfi/cfi_dev.c +++ b/sys/dev/cfi/cfi_dev.c @@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, rq = (struct cfiocqry *)data; if (rq->offset >= sc->sc_size / sc->sc_width) return (ESPIPE); - if (rq->offset + rq->count > sc->sc_size / sc->sc_width) + if (rq->offset > ULONG_MAX - rq->count || + rq->offset + rq->count > sc->sc_size / sc->sc_width) return (ENOSPC); while (!error && rq->count--) {