aboutsummaryrefslogtreecommitdiff
path: root/drivers/usb
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-04-05 12:45:59 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2011-05-09 16:04:42 -0700
commit5c20dc7633ed54a3794378695934ec949b2354d5 (patch)
tree3375e487283b89edfa3a938e4fe4d247cf441c08 /drivers/usb
parent65d9b49fc245340fdb950a0842745acc88fafaba (diff)
mpt2sas: prevent heap overflows and unchecked reads
commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 upstream. At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. Additionally, user-supplied values are used to determine the size of a copy_to_user() as well as the offset into the buffer to be read, with no bounds checking, allowing users to read arbitrary kernel memory. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Acked-by: Eric Moore <eric.moore@lsi.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
0 files changed, 0 insertions, 0 deletions