tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[SCSI] mpt2sas: prevent heap overflows and unchecked reads

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

authored by Dan Rosenberg and committed by James Bottomley a1f74ae8 686c4cbb

+21 -2
unified split
+21 -2
drivers/scsi/mpt2sas/mpt2sas_ctl.c
··· 688 688 goto out; 689 689 } 690 690 691 + /* Check for overflow and wraparound */ 692 + if (karg.data_sge_offset * 4 > ioc->request_sz || 693 + karg.data_sge_offset > (UINT_MAX / 4)) { 694 + ret = -EINVAL; 695 + goto out; 696 + } 697 + 691 698 /* copy in request message frame from user */ 692 699 if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) { 693 700 printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__, ··· 1970 1963 Mpi2DiagBufferPostReply_t *mpi_reply; 1971 1964 int rc, i; 1972 1965 u8 buffer_type; 1973 - unsigned long timeleft; 1966 + unsigned long timeleft, request_size, copy_size; 1974 1967 u16 smid; 1975 1968 u16 ioc_status; 1976 1969 u8 issue_reset = 0; ··· 2006 1999 return -ENOMEM; 2007 2000 } 2008 2001 2002 + request_size = ioc->diag_buffer_sz[buffer_type]; 2003 + 2009 2004 if ((karg.starting_offset % 4) || (karg.bytes_to_read % 4)) { 2010 2005 printk(MPT2SAS_ERR_FMT "%s: either the starting_offset " 2011 2006 "or bytes_to_read are not 4 byte aligned\n", ioc->name, ··· 2015 2006 return -EINVAL; 2016 2007 } 2017 2008 2009 + if (karg.starting_offset > request_size) 2010 + return -EINVAL; 2011 + 2018 2012 diag_data = (void *)(request_data + karg.starting_offset); 2019 2013 dctlprintk(ioc, printk(MPT2SAS_INFO_FMT "%s: diag_buffer(%p), " 2020 2014 "offset(%d), sz(%d)\n", ioc->name, __func__, 2021 2015 diag_data, karg.starting_offset, karg.bytes_to_read)); 2022 2016 2017 + /* Truncate data on requests that are too large */ 2018 + if ((diag_data + karg.bytes_to_read < diag_data) || 2019 + (diag_data + karg.bytes_to_read > request_data + request_size)) 2020 + copy_size = request_size - karg.starting_offset; 2021 + else 2022 + copy_size = karg.bytes_to_read; 2023 + 2023 2024 if (copy_to_user((void __user *)uarg->diagnostic_data, 2024 - diag_data, karg.bytes_to_read)) { 2025 + diag_data, copy_size)) { 2025 2026 printk(MPT2SAS_ERR_FMT "%s: Unable to write " 2026 2027 "mpt_diag_read_buffer_t data @ %p\n", ioc->name, 2027 2028 __func__, diag_data);