| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Dec 2018 15:26:09 -0600
From: Kangjie Lu <kjlu@....edu>
To: kjlu@....edu
Cc: pakki001@....edu,
Adaptec OEM Raid Solutions <aacraid@...rosemi.com>,
"James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] scsi: a potential double-fetch bug when copying msg
user_msg[0] is copied in twice from user space. It contains size and is
critical. The fix ensures it is not changed in the second copy.
Signed-off-by: Kangjie Lu <kjlu@....edu>
---
drivers/scsi/dpt_i2o.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 93bd1d1bd5b5..2294520842e0 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -1850,6 +1850,8 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg)
rcode = -EFAULT;
goto cleanup;
}
+ /* Ensure it is not changed in the second copy */
+ msg[0] = size;
sg_count = (size - sg_offset*4) / sizeof(struct sg_simple_element);
// TODO add 64 bit API
--
2.17.2 (Apple Git-113)
Powered by blists - more mailing lists