Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver

From: Dison River
Date: Fri Sep 01 2017 - 02:00:56 EST

Next message: Maxime Ripard: "Re: [PATCH 3/3] dmaengine: sun6i: Add support for Allwinner A64"
Previous message: Quan Xu: "Re: [RFC PATCH v2 3/7] sched/idle: Add poll before enter real idle path"
Next in thread: Kees Cook: "Re: Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi:
Buffer overflow in the mptctl_replace_fw() function in linux kernel
MPT ioctl driver.

In mptctl_replace_fw function, kernel didn't check the size of
"newFwSize" variable allows attackers to cause a denial of service via
unspecified vectors that trigger copy_from_user function calls with
improper length arguments.

static int
mptctl_replace_fw (unsigned long arg)
{
......
if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
printk(KERN_ERR MYNAM "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw struct @ %p\n",
__FILE__, __LINE__, uarg);
return -EFAULT;
}

......

mpt_free_fw_memory(ioc);

/* Allocate memory for the new FW image
*/
newFwSize = ALIGN(karg.newImageSize, 4);

mpt_alloc_fw_memory(ioc, newFwSize);
......

if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) {
///------->newFwSize can control in userspace
printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_replace_fw - "
"Unable to read in mpt_ioctl_replace_fw image "
"@ %p\n", ioc->name, __FILE__, __LINE__, uarg);
mpt_free_fw_memory(ioc);
return -EFAULT;
}

......

return 0;
}

Next message: Maxime Ripard: "Re: [PATCH 3/3] dmaengine: sun6i: Add support for Allwinner A64"
Previous message: Quan Xu: "Re: [RFC PATCH v2 3/7] sched/idle: Add poll before enter real idle path"
Next in thread: Kees Cook: "Re: Buffer overflow in the mptctl_replace_fw() function in linux kernel MPT ioctl driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]