lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 08 Aug 2012 10:35:44 -0500
From:	Mike Christie <michaelc@...wisc.edu>
To:	Dan Carpenter <dan.carpenter@...cle.com>
CC:	manish.rangankar@...gic.com, open-iscsi@...glegroups.com,
	linux-kernel@...r.kernel.org
Subject: Re: [SCSI] qla4xxx: support iscsiadm session mgmt

On 08/08/2012 10:00 AM, Dan Carpenter wrote:
> I never heard back on this.  This buffer overflow is still present
> in the current code.
> 

Qlogic just sent a patch yesterday.
http://marc.info/?l=linux-scsi&m=134434199930938&w=2

> regards,
> dan carpenter
> 
> On Thu, Jun 14, 2012 at 09:27:45PM +0300, Dan Carpenter wrote:
>> Hi Manish,
>>
>> The patch b3a271a94d00: "[SCSI] qla4xxx: support iscsiadm session 
>> mgmt" from Jul 25, 2011, leads to the following warning:
>> drivers/scsi/qla4xxx/ql4_os.c:4479 qla4xxx_get_ep_fwdb()
>> 	 warn: casting from 16 to 28 bytes
>>
>> (Sort of).
>>
>> drivers/scsi/qla4xxx/ql4_os.c qla4xxx_ep_connect()
>>    705          qla_ep = ep->dd_data;
>>    706          memset(qla_ep, 0, sizeof(struct qla_endpoint));
>>    707          if (dst_addr->sa_family == AF_INET) {
>>    708                  memcpy(&qla_ep->dst_addr, dst_addr, sizeof(struct sockaddr_in));
>>    709                  addr = (struct sockaddr_in *)&qla_ep->dst_addr;
>>    710                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI4\n", __func__,
>>    711                                    (char *)&addr->sin_addr));
>>    712          } else if (dst_addr->sa_family == AF_INET6) {
>>    713                  memcpy(&qla_ep->dst_addr, dst_addr,
>>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>    714                         sizeof(struct sockaddr_in6));
>>                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> Both qla_ep->dst_addr and dst_addr are type struct sockaddr.  We are
>> copying sizeof(struct sockaddr_in6) bytes which is 12 bytes larger.  I
>> don't know the actual size of qla_ep->dst_addr but dst_addr is allocated
>> in qla4xxx_get_ep_fwdb() as a struct sockaddr.  So we are copying past
>> the end of the struct here and it's possibly an information leak or even
>> a memory corruption issue depending on how much space ep->dd_data has.
>>
>>    715                  addr6 = (struct sockaddr_in6 *)&qla_ep->dst_addr;
>>    716                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI6\n", __func__,
>>    717                                    (char *)&addr6->sin6_addr));
>>    718          }
>>
>> regards,
>> dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ