Project

General

Profile

Bug #4233

mptsas topo change buffer overflow

Added by Hans Rosenfeld over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
High
Category:
kernel
Start date:
2013-10-18
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

There is a nasty little buffer overflow in the SMHBA code in mpt_sas.

When a directly attached device is plugged in, mptsas_handle_topo_change() will try to update the phy properties for SMHBA by calling mptsas_smhba_set_phy_props() for one (1) phy. Mptsas_smhba_set_phy_props() will allocate space for one nvlist pointer according to the phy_nums argument. Later when it iterates over all phys and sets the properties for those that have a matching phy_mask, it does not check phy_nums and will happily write past the end of the nvlist pointer array.

Also available in: Atom PDF