linux/drivers/scsi/mpt2sas
Dan Rosenberg a1f74ae82d [SCSI] mpt2sas: prevent heap overflows and unchecked reads
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
2011-04-24 11:01:59 -05:00
..
mpi Fix common misspellings 2011-03-31 11:26:23 -03:00
Kconfig [SCSI] mpt2sas: Copyright 2010. 2010-04-11 09:24:02 -05:00
Makefile [SCSI] mpt2sas v00.100.11.15 2009-03-13 16:08:49 -05:00
mpt2sas_base.c Fix common misspellings 2011-03-31 11:26:23 -03:00
mpt2sas_base.h [SCSI] mpt2sas : Added customer specific display support 2011-03-23 11:36:51 -05:00
mpt2sas_config.c Fix common misspellings 2011-03-31 11:26:23 -03:00
mpt2sas_ctl.c [SCSI] mpt2sas: prevent heap overflows and unchecked reads 2011-04-24 11:01:59 -05:00
mpt2sas_ctl.h [SCSI] mpt2sas: Copyright 2010. 2010-04-11 09:24:02 -05:00
mpt2sas_debug.h [SCSI] mpt2sas: Copyright 2010. 2010-04-11 09:24:02 -05:00
mpt2sas_scsih.c Fix common misspellings 2011-03-31 11:26:23 -03:00
mpt2sas_transport.c [SCSI] mpt2sas: Modify code to support Expander switch 2010-12-21 12:24:05 -06:00