Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / a1f74ae82d133ebb2aabb19d181944b4e83e9960
commita1f74ae82d133ebb2aabb19d181944b4e83e9960[log] [tgz]
authorDan Rosenberg <drosenberg@vsecurity.com>Tue Apr 05 12:45:59 2011 -0400
committerJames Bottomley <James.Bottomley@suse.de>Sun Apr 24 11:01:59 2011 -0500
tree88f1834f08d0a5def17889a40855f72bd8bd3927
parent686c4cbb10fc0e75b29b097290b4f7fc3f010b9e [diff]
[SCSI] mpt2sas: prevent heap overflows and unchecked reads

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
1 file changed
tree: 88f1834f08d0a5def17889a40855f72bd8bd3927
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS