mirror of
https://github.com/torvalds/linux.git
synced 2024-12-18 17:12:55 +00:00
a1f74ae82d
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Acked-by: Eric Moore <eric.moore@lsi.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de> |
||
---|---|---|
.. | ||
mpi | ||
Kconfig | ||
Makefile | ||
mpt2sas_base.c | ||
mpt2sas_base.h | ||
mpt2sas_config.c | ||
mpt2sas_ctl.c | ||
mpt2sas_ctl.h | ||
mpt2sas_debug.h | ||
mpt2sas_scsih.c | ||
mpt2sas_transport.c |