diff options
| author | Dan Rosenberg <drosenberg@vsecurity.com> | 2011-04-05 12:45:59 -0400 | 
|---|---|---|
| committer | James Bottomley <James.Bottomley@suse.de> | 2011-04-24 11:01:59 -0500 | 
| commit | a1f74ae82d133ebb2aabb19d181944b4e83e9960 (patch) | |
| tree | 88f1834f08d0a5def17889a40855f72bd8bd3927 /net/sched/cls_basic.c | |
| parent | 686c4cbb10fc0e75b29b097290b4f7fc3f010b9e (diff) | |
[SCSI] mpt2sas: prevent heap overflows and unchecked reads
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.
Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'net/sched/cls_basic.c')
0 files changed, 0 insertions, 0 deletions
