| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1352285866-16593-1-git-send-email-nikolay@redhat.com> Date: Wed, 7 Nov 2012 11:57:46 +0100 From: Nikolay Aleksandrov <nikolay@...hat.com> To: linux-scsi@...r.kernel.org Cc: linux-kernel@...r.kernel.org, JBottomley@...allels.com, nikolay@...hat.com Subject: [PATCH] [SCSI] scsi_sysfs: fix a buffer overflow in sysfs handling Fix a stack buffer overflow in the SCSI layer sysfs handling code (store_host_reset()). When a host reset type is read via sscanf in str there is no limit on the length and str is defined as char str[10]. How to reproduce: Given that the sysfs entry exists, execute echo "AAAAAAAAAAAAAAAA" > /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/scsi_host/host0/host_reset Signed-off-by: Nikolay Aleksandrov <nikolay@...hat.com> --- drivers/scsi/scsi_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index ce5224c..51826e2 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -267,7 +267,7 @@ store_host_reset(struct device *dev, struct device_attribute *attr, char str[10]; int type; - sscanf(buf, "%s", str); + sscanf(buf, "%9s", str); type = check_reset_type(str); if (!type) -- 1.7.11.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists