Project

General

Profile

Actions

Bug #6968

open

unset tran_abort(9E) in a HBA driver can lead to a user controlled NULL-deref

Added by David Gwynne about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
driver - device drivers
Start date:
2016-05-12
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

if a hba driver does not provide a tran_abort function in it's scsi_hba_tran_t instance, it appears that a user may be able to get the kernel to follow it as a NULL pointer via scsi_abort(), which is called via the DKIOCABORT handling in sdioctl().

my suggestion would be to VERIFY or ASSERT that tran_setup is not NULL in scsi_hba_attach_setup(). however, i am unsure what impact this would have on existing hba drivers.

a more conservative option may be to have scsi_abort check if tran_abort is not NULL before calling it.

No data to display

Actions

Also available in: Atom PDF