cfi: check for inter overflow in cfi_devioctl

Reported by: Pietro Oliva Reviewed by: markj MFC after: 3 days Security: Possible OOB read in root-only ioctl Sponsored by: The FreeBSD Foundation
2019-11-25 21:21:37 +00:00 · 2019-11-25 21:21:37 +00:00 · 985d08fe52
commit 985d08fe52
parent 735c001b6b
1 changed files with 2 additions and 1 deletions
--- a/sys/dev/cfi/cfi_dev.c
+++ b/sys/dev/cfi/cfi_dev.c
@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag,
 		rq = (struct cfiocqry *)data;
 		if (rq->offset >= sc->sc_size / sc->sc_width)
 			return (ESPIPE);
-		if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
+		if (rq->offset > ULONG_MAX - rq->count ||
+		    rq->offset + rq->count > sc->sc_size / sc->sc_width)
 			return (ENOSPC);

 		while (!error && rq->count--) {