Date: Sat, 17 Sep 2016 03:00:10 +0800 From: Marco Grassi <marco.gra@...il.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: linux kernel SCSI arcmsr driver: buffer overflow in arcmsr_iop_message_xfer() Hello, inspecting this code you can notice that: http://lxr.free-electrons.com/source/drivers/scsi/arcmsr/arcmsr_hba.c#L2399 the int32_t user_len is taken from the scsi command user_len = pcmdmessagefld->cmdmessage.Length; and used directly without sanitization in a memcpy to a heap buffer of fixed size 1032 memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len); potentially causing kernel heap corruption and arbitrary kernel code execution. The issue has been already acknowledged and patched in a development branch, the patch is here: http://marc.info/?l=linux-scsi&m=147394713328707&w=2 this patch have been applied to a 4.9 scsi branch here (4.9/scsi-queue), and at some point it will land in master http://marc.info/?l=linux-scsi&m=147394796228991&w=2 Thanks Marco https://marcograss.github.io
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.