lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 8 Aug 2012 18:00:22 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	manish.rangankar@...gic.com
Cc:	Mike Christie <michaelc@...wisc.edu>, open-iscsi@...glegroups.com,
	linux-kernel@...r.kernel.org
Subject: Re: [SCSI] qla4xxx: support iscsiadm session mgmt

I never heard back on this.  This buffer overflow is still present
in the current code.

regards,
dan carpenter

On Thu, Jun 14, 2012 at 09:27:45PM +0300, Dan Carpenter wrote:
> Hi Manish,
> 
> The patch b3a271a94d00: "[SCSI] qla4xxx: support iscsiadm session 
> mgmt" from Jul 25, 2011, leads to the following warning:
> drivers/scsi/qla4xxx/ql4_os.c:4479 qla4xxx_get_ep_fwdb()
> 	 warn: casting from 16 to 28 bytes
> 
> (Sort of).
> 
> drivers/scsi/qla4xxx/ql4_os.c qla4xxx_ep_connect()
>    705          qla_ep = ep->dd_data;
>    706          memset(qla_ep, 0, sizeof(struct qla_endpoint));
>    707          if (dst_addr->sa_family == AF_INET) {
>    708                  memcpy(&qla_ep->dst_addr, dst_addr, sizeof(struct sockaddr_in));
>    709                  addr = (struct sockaddr_in *)&qla_ep->dst_addr;
>    710                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI4\n", __func__,
>    711                                    (char *)&addr->sin_addr));
>    712          } else if (dst_addr->sa_family == AF_INET6) {
>    713                  memcpy(&qla_ep->dst_addr, dst_addr,
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    714                         sizeof(struct sockaddr_in6));
>                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Both qla_ep->dst_addr and dst_addr are type struct sockaddr.  We are
> copying sizeof(struct sockaddr_in6) bytes which is 12 bytes larger.  I
> don't know the actual size of qla_ep->dst_addr but dst_addr is allocated
> in qla4xxx_get_ep_fwdb() as a struct sockaddr.  So we are copying past
> the end of the struct here and it's possibly an information leak or even
> a memory corruption issue depending on how much space ep->dd_data has.
> 
>    715                  addr6 = (struct sockaddr_in6 *)&qla_ep->dst_addr;
>    716                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI6\n", __func__,
>    717                                    (char *)&addr6->sin6_addr));
>    718          }
> 
> regards,
> dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ