summaryrefslogtreecommitdiff
path: root/drivers/scsi
diff options
context:
space:
mode:
authorDarrick J. Wong <djwong@us.ibm.com>2011-01-31 18:47:54 -0800
committerJames Bottomley <James.Bottomley@suse.de>2011-02-12 11:21:56 -0600
commita361cc0025614fdd07f5f69aeeaa8075530870bc (patch)
tree419b9ae33664d20e6df60e78bf51f2d320548cf1 /drivers/scsi
parent044d78e1acb6614f5d79040e490f1fd9bfa45487 (diff)
downloadlinux-3.10-a361cc0025614fdd07f5f69aeeaa8075530870bc.tar.gz
linux-3.10-a361cc0025614fdd07f5f69aeeaa8075530870bc.tar.bz2
linux-3.10-a361cc0025614fdd07f5f69aeeaa8075530870bc.zip
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of (block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately, the compiler sees two 32-bit quantities and performs a 32-bit multiplication, thus truncating the bits above 2^32. This causes the wrong memory location to be read or written. Change block and rest to be unsigned long long. Signed-off-by: Darrick J. Wong <djwong@us.ibm.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi')
-rw-r--r--drivers/scsi/scsi_debug.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 7b310934efe..a6b2d72022f 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd,
unsigned long long lba, unsigned int num, int write)
{
int ret;
- unsigned int block, rest = 0;
+ unsigned long long block, rest = 0;
int (*func)(struct scsi_cmnd *, unsigned char *, int);
func = write ? fetch_to_dev_buffer : fill_from_dev_buffer;