Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFkTri+FwSj8n_sMckcY1PZLjAjcaizLmeDiJsRFmcZiDKjD9w@mail.gmail.com>
Date: Sat, 17 Sep 2016 03:00:10 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: linux kernel SCSI arcmsr driver: buffer overflow in arcmsr_iop_message_xfer()

Hello,

inspecting this code you can notice that:

http://lxr.free-electrons.com/source/drivers/scsi/arcmsr/arcmsr_hba.c#L2399

the int32_t user_len is taken from the scsi command

user_len = pcmdmessagefld->cmdmessage.Length;

and used directly without sanitization in a memcpy to a heap buffer of
fixed size 1032

memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);

potentially causing kernel heap corruption and arbitrary kernel code execution.


The issue has been already acknowledged and patched in a development
branch, the patch is here:

http://marc.info/?l=linux-scsi&m=147394713328707&w=2

this patch have been applied to a 4.9 scsi branch here
(4.9/scsi-queue), and at some point it will land in master

http://marc.info/?l=linux-scsi&m=147394796228991&w=2

Thanks

Marco

https://marcograss.github.io

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.