oss-sec mailing list archives
Re: Linux kernel: information disclosure in stex_queuecommand_lck
From: Xingyuan Mo <hdthky0 () gmail com>
Date: Mon, 19 Sep 2022 15:46:35 +0800
CVE-2022-40768 has been assigned to this issue. Thanks, Xingyuan Mo On Fri, Sep 9, 2022 at 12:52 PM Xingyuan Mo <hdthky0 () gmail com> wrote:
Hello, We found an information disclosure vulnerability in stex_queuecommand_lck() in drivers/scsi/stex.c through linux v6.0-rc4 which allows an attacker to disclose sensitive information such as kernel space address. This issue can be fixed with the following patch: https://lore.kernel.org/all/20220908145154.2284098-1-gregkh () linuxfoundation org/ =*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*= In drivers/scsi/stex.c: 666: case PASSTHRU_CMD: 667: if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) { 668: struct st_drvver ver; 669: size_t cp_len = sizeof(ver); 670: 671: ver.major = ST_VER_MAJOR; 672: ver.minor = ST_VER_MINOR; 673: ver.oem = ST_OEM; 674: ver.build = ST_BUILD_VER; 675: ver.signature[0] = PASSTHRU_SIGNATURE; 676: ver.console_id = host->max_id - 1; 677: ver.host_no = hba->host->host_no; 678: cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len); 679: if (sizeof(ver) == cp_len) 680: cmd->result = DID_OK << 16; 681: else 682: cmd->result = DID_ERROR << 16; 683: done(cmd); 684: return 0; 685: } 686: break; The variable ver is declared off of the stack, but not zeroed out before copied back to user space, resulting in sensitive information disclosure. =*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*= 2022-09-08: bug reported 2022-09-08: patch released =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= Xingyuan Mo (@hdthky) and Gengjia Chen (@chengjia4574) of IceSword Lab, 360 Best Regards, Xingyuan Mo
Current thread:
- Linux kernel: information disclosure in stex_queuecommand_lck Xingyuan Mo (Sep 09)
- Re: Linux kernel: information disclosure in stex_queuecommand_lck Xingyuan Mo (Sep 19)