Skip to content
Commit a1f74ae8 authored by Dan Rosenberg's avatar Dan Rosenberg Committed by James Bottomley
Browse files

[SCSI] mpt2sas: prevent heap overflows and unchecked reads



At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: default avatarEric Moore <eric.moore@lsi.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@suse.de>
parent 686c4cbb
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment