[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption

If I create a scsi_debug device that is larger than 4GB, the multiplication of (block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately, the compiler sees two 32-bit quantities and performs a 32-bit multiplication, thus truncating the bits above 2^32. This causes the wrong memory location to be read or written. Change block and rest to be unsigned long long. Signed-off-by: Darrick J. Wong <djwong@us.ibm.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>

[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of (block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately, the compiler sees two 32-bit quantities and performs a 32-bit multiplication, thus truncating the bits above 2^32. This causes the wrong memory location to be read or written. Change block and rest to be unsigned long long. Signed-off-by: Darrick J. Wong <djwong@us.ibm.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
a361cc00 · Darrick J. Wong · James Bottomley · 044d78e1 · a361cc00
Commit a361cc00 authored Jan 31, 2011 by Darrick J. Wong Committed by James Bottomley Feb 12, 2011
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/scsi/scsi_debug.c drivers/scsi/scsi_debug.c +1 -1

No files found.
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd,
 			    unsigned long long lba, unsigned int num, int write)
 {
 	int ret;
-	unsigned int block, rest = 0;
+	unsigned long long block, rest = 0;
 	int (*func)(struct scsi_cmnd *, unsigned char *, int);

 	func = write ? fetch_to_dev_buffer : fill_from_dev_buffer;