linux kernel SCSI arcmsr driver: buffer overflow in arcmsr_iop_message_xfer()

[Marco Grassi <marco.gra () gmail com>]

Hello,

inspecting this code you can notice that:

http://lxr.free-electrons.com/source/drivers/scsi/arcmsr/arcmsr_hba.c#L2399

the int32_t user_len is taken from the scsi command

user_len = pcmdmessagefld->cmdmessage.Length;

and used directly without sanitization in a memcpy to a heap buffer of
fixed size 1032

memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);

potentially causing kernel heap corruption and arbitrary kernel code execution.


The issue has been already acknowledged and patched in a development
branch, the patch is here:

http://marc.info/?l=linux-scsi&m=147394713328707&w=2

this patch have been applied to a 4.9 scsi branch here
(4.9/scsi-queue), and at some point it will land in master

http://marc.info/?l=linux-scsi&m=147394796228991&w=2

Thanks

Marco

https://marcograss.github.io