In __mptctl_ioctl() of file drivers/message/fusion/mptctl.c, there seems
to be a way to cause a confused deputy attack by racing condition in
userspace.
1. In the first userspace fetch, copy_from_user(, uhdr, sizeof(khdr),
a user process can put, say, 01, in uhdr->iocnum which will be fetched
> On Sep 20, 2017, at 11:26 PM, Al Viro <v...@zeniv.linux.org.uk> wrote:
>
> On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
>> Since right after the user copy, we are going to
>> memset(, 0, sizeof(karg)), I guess an access_ok chec
Since right after the user copy, we are going to
memset(, 0, sizeof(karg)), the copy_from_user is redundant
Signed-off-by: Meng Xu <mengxu.gat...@gmail.com>
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ct
rrides user_srbcmd->count after the second
userspace fetch with the value fibsize from the first userspace fetch.
In this way, it is assured that the relation, user_srbcmd->count stores
the size of the user_srbcmd buffer, still holds after the second fetch.
Signed-off-by: Meng Xu <mengxu.g
Since right after the user copy, we are going to
memset(, 0, sizeof(karg)), I guess an access_ok check is enough?
Signed-off-by: Meng Xu <mengxu.gat...@gmail.com>
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/m
5 matches
Mail list logo