| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Sep 2017 14:00:48 +0800
From: Dison River <pwn2river@...il.com>
To: sathya.prakash@...adcom.com, chaitra.basappa@...adcom.com,
suganath-prabu.subramani@...adcom.com,
MPT-FusionLinux.pdl@...adcom.com, linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org, security@...nel.org
Subject: Buffer overflow in the mptctl_replace_fw() function in linux kernel
MPT ioctl driver
Hi:
Buffer overflow in the mptctl_replace_fw() function in linux kernel
MPT ioctl driver.
In mptctl_replace_fw function, kernel didn't check the size of
"newFwSize" variable allows attackers to cause a denial of service via
unspecified vectors that trigger copy_from_user function calls with
improper length arguments.
static int
mptctl_replace_fw (unsigned long arg)
{
......
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
__FILE__, __LINE__, uarg);
return -EFAULT;
}
......
mpt_free_fw_memory(ioc);
/* Allocate memory for the new FW image
*/
newFwSize = ALIGN(karg.newImageSize, 4);
mpt_alloc_fw_memory(ioc, newFwSize);
......
if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {
///------->newFwSize can control in userspace
printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw image "
"@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
mpt_free_fw_memory(ioc);
return -EFAULT;
}
......
return 0;
}
Powered by blists - more mailing lists