| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Mar 2015 23:36:48 +0100
From: Ondrej Zary <linux@...nbow-software.org>
To: linux-scsi@...r.kernel.org
Cc: Kernel development list <linux-kernel@...r.kernel.org>
Subject: [PATCH] sym53c416: Fix nasty memory corruption
In sym53c416_read(), the chip can (and does sometimes) return more bytes in
the FIFO than we want to read. This causes buffer overflow, resulting in nasty
memory and data corruption and oopses. I couldn't even read filesystem's root
directory properly (and a simple dd with 1M blocksize crashed the system)
without this patch.
Add a check to make sure we never read more bytes than required.
sym53c416_write() already contains similar check.
Signed-off-by: Ondrej Zary <linux@...nbow-software.org>
---
drivers/scsi/sym53c416.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sym53c416.c b/drivers/scsi/sym53c416.c
index 0b7819f..76e9715 100644
--- a/drivers/scsi/sym53c416.c
+++ b/drivers/scsi/sym53c416.c
@@ -253,6 +253,8 @@ static __inline__ unsigned int sym53c416_read(int base, unsigned char *buffer, u
while(len && timeout)
{
bytes_left = inb(base + PIO_FIFO_CNT); /* Number of bytes in the PIO FIFO */
+ if (bytes_left > len)
+ bytes_left = len;
if(fastpio && bytes_left > 3)
{
insl(base + PIO_FIFO_1, buffer, bytes_left >> 2);
--
Ondrej Zary
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists