libnvdimm: Out of bounds read in __nd_ioctl()

The "cmd" comes from the user and it can be up to 255.  It it's more
than the number of bits in long, it results out of bounds read when we
check test_bit(cmd, &cmd_mask).  The highest valid value for "cmd" is
ND_CMD_CALL (10) so I added a compare against that.

Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices")
Signed-off-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Dan Williams <[email protected]>

diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
index a8b51596856996aadd1ec82ddaff1cf73c9f0e9a..09087c38fabdc17361d48a8e7ad7c322dd799c77 100644 (file)
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -1042,8 +1042,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
                        return -EFAULT;
        }
 
-       if (!desc || (desc->out_num + desc->in_num == 0) ||
-                       !test_bit(cmd, &cmd_mask))
+       if (!desc ||
+           (desc->out_num + desc->in_num == 0) ||
+           cmd > ND_CMD_CALL ||
+           !test_bit(cmd, &cmd_mask))
                return -ENOTTY;
 
        /* fail write commands (when read-only) */