mpt2sas: prevent heap overflows and unchecked reads
authorDan Rosenberg <drosenberg@vsecurity.com>
Tue, 5 Apr 2011 16:45:59 +0000 (12:45 -0400)
committerPaolo Pisati <paolo.pisati@canonical.com>
Tue, 31 May 2011 09:18:18 +0000 (11:18 +0200)
commitfe36a792e388068c897b64e81f52d01a037830e9
treebf57555b02c2738b0ddb10ed373f637afc23c77d
parent66b1f00e76a721a2f0ec5b27696a7d8b19266861
mpt2sas: prevent heap overflows and unchecked reads

BugLink: http://bugs.launchpad.net/bugs/780546
commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 upstream.

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
drivers/scsi/mpt2sas/mpt2sas_ctl.c