[CVE-2011-1494][Maverick][PATCH] mpt2sas: prevent heap overflows and unchecked reads, CVE-2011-1494

Tetsuo Handa from-ubuntu at I-love.SAKURA.ne.jp
Tue May 24 08:23:17 UTC 2011 

Stefan Bader wrote:
> > --- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c
> > +++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c
> > @@ -637,6 +637,13 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc,
> >   	data_out_sz = karg.data_out_size;
> >   	data_in_sz = karg.data_in_size;
> >
> > +	/* Check for overflow and wraparound */
> > +	if (karg.data_sge_offset * 4>  ioc->request_sz ||
> > +	    karg.data_sge_offset>  (UINT_MAX / 4)) {
> > +		ret = -EINVAL;
> > +		goto out;
> > +	}
> > +
> >   	/* copy in request message frame from user */
> >   	if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) {
> >   		printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__,

karg.data_sge_offset is assigned from user-supplied memory.
I don't know whether ioc->request_sz can be set to 0.

But if ioc->request_sz can be set to 0,

683         mpi_request = kzalloc(ioc->request_sz, GFP_KERNEL);

mpi_request is set to ZERO_SIZE_PTR

684         if (!mpi_request) {
685                 printk(MPT2SAS_ERR_FMT "%s: failed obtaining a memory for "
686                     "mpi_request\n", ioc->name, __func__);
687                 ret = -ENOMEM;
688                 goto out;
689         }
690 

and reaches here. If karg.data_sge_offset == 0,

691         /* Check for overflow and wraparound */
692         if (karg.data_sge_offset * 4 > ioc->request_sz ||
693             karg.data_sge_offset > (UINT_MAX / 4)) {
694                 ret = -EINVAL;
695                 goto out;
696         }
697 

reaches here.

copy_from_user() copies no data, but

698         /* copy in request message frame from user */
699         if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) {
700                 printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__,
701                     __func__);
702                 ret = -EFAULT;
703                 goto out;
704         }
705 

accessing ZERO_SIZE_PTR->Function is an oops.

706         if (mpi_request->Function == MPI2_FUNCTION_SCSI_TASK_MGMT) {

Many functions are passing a variable to (e.g.) kmalloc() with an
assumption that the value of that variable is never 0.

Although this was once NACKed at http://lkml.org/lkml/2010/2/26/30 , don't we
want memory allocator functions that return NULL if requested size is 0?


At line 706, mpi_request->Function is always 0 if karg.data_sge_offset == 0 and
ioc->request_sz != 0 ... Maybe we need karg.data_sge_offset != 0 check.

More information about the kernel-team mailing list