[SCSI] mpt2sas: prevent heap overflows and unchecked reads - linux

diff options

author	Dan Rosenberg <drosenberg@vsecurity.com>	2011-04-05 18:45:59 +0200
committer	James Bottomley <James.Bottomley@suse.de>	2011-04-24 18:01:59 +0200
commit	a1f74ae82d133ebb2aabb19d181944b4e83e9960 (patch)
tree	88f1834f08d0a5def17889a40855f72bd8bd3927 /Documentation/kernel-doc-nano-HOWTO.txt
parent	Merge branch 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafa... (diff)
download	linux-a1f74ae82d133ebb2aabb19d181944b4e83e9960.tar.xz linux-a1f74ae82d133ebb2aabb19d181944b4e83e9960.zip

[SCSI] mpt2sas: prevent heap overflows and unchecked reads

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Acked-by: Eric Moore <eric.moore@lsi.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>

Diffstat (limited to 'Documentation/kernel-doc-nano-HOWTO.txt')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: