| commit | 3f14204734d5cb567edbc6e90885a5d6cae21ad0 | |
| author | Dan Rosenberg <drosenberg@vsecurity.com> | |
| Tue, 5 Apr 2011 16:45:59 +0000 (5 12:45 -0400) | ||
| committer | Andi Kleen <ak@linux.intel.com> | |
| Mon, 1 Aug 2011 20:54:42 +0000 (1 13:54 -0700) | ||
| tree | 89d15b227a82009eeaee8d13aea2954c256dc661 | treesnapshot (tar.gz zip) |
| parent | fff22ebf8262a288e4541d69fd959d9f2d8e4cc7 | commitdiff |
mpt2sas: prevent heap overflows and unchecked reads
[ upstream commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 ]
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.
Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
[ upstream commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 ]
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.
Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
| drivers/scsi/mpt2sas/mpt2sas_ctl.c | diffblobblamehistory |