* [Bug 116751] New: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c
@ 2016-04-19 21:45 bugzilla-daemon
2016-04-25 16:23 ` [Bug 116751] " bugzilla-daemon
0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon @ 2016-04-19 21:45 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=116751
Bug ID: 116751
Summary: Double-Fetch bug in
Linux-4.5/drivers/scsi/aacraid/commctrl.c
Product: SCSI Drivers
Version: 2.5
Kernel Version: 4.5
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: AACRAID
Assignee: scsi_drivers-aacraid@kernel-bugs.osdl.org
Reporter: wpengfeinudt@gmail.com
Regression: No
Hi,
I found this Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c when
I was examining the source code.
In function ioctl_send_fib(), the driver fetches user space data by pointer arg
via copy_from_user(), and this happens twice at line 81 and line 116
respectively. The first fetched value (stored in kfib) is used to get the
header and calculate the size at line 90 so as to copy the whole message later
at line 116, which means the copy size of the whole message is based on the old
value that came from the first fetch. Besides, the whole message copied in the
second fetch also contains the header.
However, when the function processes the message after the second fetch at line
130, it uses kfib->header.Size that came from the second fetch, which might be
different from the one came from the first fetch as well as calculated the size
to copy the message from user space to driver.
If the kfib->header.Size is modified by a user thread under race condition
between the fetch operations, for example changing to a very large value, this
will lead to over-boundary access or other serious consequences in function
aac_fib_send().
I am looking forward to a reply on this, thank you!
Kind regards
Pengfei
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug 116751] Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c
2016-04-19 21:45 [Bug 116751] New: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c bugzilla-daemon
@ 2016-04-25 16:23 ` bugzilla-daemon
0 siblings, 0 replies; 2+ messages in thread
From: bugzilla-daemon @ 2016-04-25 16:23 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=116751
--- Comment #1 from Pengfei Wang <wpengfeinudt@gmail.com> ---
Created attachment 214111
--> https://bugzilla.kernel.org/attachment.cgi?id=214111&action=edit
source file
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-04-25 16:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-19 21:45 [Bug 116751] New: Double-Fetch bug in Linux-4.5/drivers/scsi/aacraid/commctrl.c bugzilla-daemon
2016-04-25 16:23 ` [Bug 116751] " bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.