From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Tue, 5 Apr 2011 16:45:59 +0000 (-0400)
Subject: [SCSI] mpt2sas: prevent heap overflows and unchecked reads
X-Git-Tag: v2.6.39-rc6~16^2~3
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1f74ae82d133ebb2aabb19d181944b4e83e9960;p=pandora-kernel.git

[SCSI] mpt2sas: prevent heap overflows and unchecked reads

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---

Reading git-diff-tree failed