[SCSI] scsi_debug: fix map_region and unmap_region oops

map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>

[SCSI] scsi_debug: fix map_region and unmap_region oops
map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
FUJITA Tomonori · James Bottomley
1 parent 4289a08680
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
drivers/scsi/scsi_debug.c
@@ -1991,7 +1991,8 @@
 		block = lba + alignment;
 		rem = do_div(block, granularity);
  
-		set_bit(block, map_storep);
+		if (block < map_size)
+			set_bit(block, map_storep);
  
 		lba += granularity - rem;
 	}
@@ -2011,7 +2012,8 @@
 		block = lba + alignment;
 		rem = do_div(block, granularity);
  
-		if (rem == 0 && lba + granularity <= end)
+		if (rem == 0 && lba + granularity <= end &&
+		    block < map_size)
 			clear_bit(block, map_storep);
  
 		lba += granularity - rem;
...	...	@@ -1991,7 +1991,8 @@
1991	1991	block = lba + alignment;
1992	1992	rem = do_div(block, granularity);
1993	1993
1994		- set_bit(block, map_storep);
	1994	+ if (block < map_size)
	1995	+ set_bit(block, map_storep);
1995	1996
1996	1997	lba += granularity - rem;
1997	1998	}
...	...	@@ -2011,7 +2012,8 @@
2011	2012	block = lba + alignment;
2012	2013	rem = do_div(block, granularity);
2013	2014
2014		- if (rem == 0 && lba + granularity <= end)
	2015	+ if (rem == 0 && lba + granularity <= end &&
	2016	+ block < map_size)
2015	2017	clear_bit(block, map_storep);
2016	2018
2017	2019	lba += granularity - rem;