oss-sec mailing list archives
CVE request: kernel: two issues in mpt2sas
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Tue, 5 Apr 2011 13:00:28 -0400
"At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory." [1] These issues require access to the /dev/mpt2sas device (LSI MPT Fusion SAS 2.0). While the kernel creates this device file root-root 660 by default, I've seen it with more open permissions on live systems, so perhaps there's some common use case that requires modifying these default permissions. -Dan [1] http://marc.info/?l=linux-kernel&m=130202198105756&w=2
Current thread:
- CVE request: kernel: two issues in mpt2sas Dan Rosenberg (Apr 05)
- Re: CVE request: kernel: two issues in mpt2sas Eugene Teo (Apr 06)