CVE request: kernel: two issues in mpt2sas

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

"At two points in handling device ioctls via /dev/mpt2ctl,
user-supplied length values are used to copy data from userspace into
heap buffers without bounds checking, allowing controllable heap
corruption and subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with
no bounds checking, allowing users to read arbitrary kernel memory."
[1]

These issues require access to the /dev/mpt2sas device (LSI MPT Fusion
SAS 2.0).  While the kernel creates this device file root-root 660 by
default, I've seen it with more open permissions on live systems, so
perhaps there's some common use case that requires modifying these
default permissions.

-Dan

[1] http://marc.info/?l=linux-kernel&m=130202198105756&w=2