Bug #4233: mptsas topo change buffer overflow - illumos gate - illumos

Bug #4233

mptsas topo change buffer overflow

Added by Hans Rosenfeld over 7 years ago. Updated about 7 years ago.

Status:

Resolved

Priority:

High

Assignee:

Hans Rosenfeld

Category:

kernel

Start date:

2013-10-18

Due date:

% Done:

100%

Estimated time:

Difficulty:

Medium

Tags:

Gerrit CR:

Description

There is a nasty little buffer overflow in the SMHBA code in mpt_sas.

When a directly attached device is plugged in, mptsas_handle_topo_change() will try to update the phy properties for SMHBA by calling mptsas_smhba_set_phy_props() for one (1) phy. Mptsas_smhba_set_phy_props() will allocate space for one nvlist pointer according to the phy_nums argument. Later when it iterates over all phys and sets the properties for those that have a matching phy_mask, it does not check phy_nums and will happily write past the end of the nvlist pointer array.

History
Notes

Also available in: Atom PDF

Project

General

Profile

illumos gate

Custom queries

Bug #4233

mptsas topo change buffer overflow

Updated by Hans Rosenfeld over 7 years ago

Updated by Robert Mustacchi about 7 years ago