oss-sec mailing list archives
linux kernel SCSI arcmsr driver: buffer overflow in arcmsr_iop_message_xfer()
From: Marco Grassi <marco.gra () gmail com>
Date: Sat, 17 Sep 2016 03:00:10 +0800
Hello, inspecting this code you can notice that: http://lxr.free-electrons.com/source/drivers/scsi/arcmsr/arcmsr_hba.c#L2399 the int32_t user_len is taken from the scsi command user_len = pcmdmessagefld->cmdmessage.Length; and used directly without sanitization in a memcpy to a heap buffer of fixed size 1032 memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len); potentially causing kernel heap corruption and arbitrary kernel code execution. The issue has been already acknowledged and patched in a development branch, the patch is here: http://marc.info/?l=linux-scsi&m=147394713328707&w=2 this patch have been applied to a 4.9 scsi branch here (4.9/scsi-queue), and at some point it will land in master http://marc.info/?l=linux-scsi&m=147394796228991&w=2 Thanks Marco https://marcograss.github.io
Current thread:
- linux kernel SCSI arcmsr driver: buffer overflow in arcmsr_iop_message_xfer() Marco Grassi (Sep 16)