lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120614182745.GA6383@elgon.mountain>
Date:	Thu, 14 Jun 2012 21:27:45 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	manish.rangankar@...gic.com
Cc:	Mike Christie <michaelc@...wisc.edu>, open-iscsi@...glegroups.com,
	linux-kernel@...r.kernel.org
Subject: re: [SCSI] qla4xxx: support iscsiadm session mgmt

Hi Manish,

The patch b3a271a94d00: "[SCSI] qla4xxx: support iscsiadm session 
mgmt" from Jul 25, 2011, leads to the following warning:
drivers/scsi/qla4xxx/ql4_os.c:4479 qla4xxx_get_ep_fwdb()
	 warn: casting from 16 to 28 bytes

(Sort of).

drivers/scsi/qla4xxx/ql4_os.c qla4xxx_ep_connect()
   705          qla_ep = ep->dd_data;
   706          memset(qla_ep, 0, sizeof(struct qla_endpoint));
   707          if (dst_addr->sa_family == AF_INET) {
   708                  memcpy(&qla_ep->dst_addr, dst_addr, sizeof(struct sockaddr_in));
   709                  addr = (struct sockaddr_in *)&qla_ep->dst_addr;
   710                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI4\n", __func__,
   711                                    (char *)&addr->sin_addr));
   712          } else if (dst_addr->sa_family == AF_INET6) {
   713                  memcpy(&qla_ep->dst_addr, dst_addr,
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   714                         sizeof(struct sockaddr_in6));
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Both qla_ep->dst_addr and dst_addr are type struct sockaddr.  We are
copying sizeof(struct sockaddr_in6) bytes which is 12 bytes larger.  I
don't know the actual size of qla_ep->dst_addr but dst_addr is allocated
in qla4xxx_get_ep_fwdb() as a struct sockaddr.  So we are copying past
the end of the struct here and it's possibly an information leak or even
a memory corruption issue depending on how much space ep->dd_data has.

   715                  addr6 = (struct sockaddr_in6 *)&qla_ep->dst_addr;
   716                  DEBUG2(ql4_printk(KERN_INFO, ha, "%s: %pI6\n", __func__,
   717                                    (char *)&addr6->sin6_addr));
   718          }

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ