mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-30 23:54:04 +08:00
a1f74ae82d
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Acked-by: Eric Moore <eric.moore@lsi.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de> |
||
|---|---|---|
| .. | ||
| mpi | ||
| Kconfig | ||
| Makefile | ||
| mpt2sas_base.c | ||
| mpt2sas_base.h | ||
| mpt2sas_config.c | ||
| mpt2sas_ctl.c | ||
| mpt2sas_ctl.h | ||
| mpt2sas_debug.h | ||
| mpt2sas_scsih.c | ||
| mpt2sas_transport.c | ||