[stgt] Possible overflow in spc_inquiry

Alexander Nezhinsky nezhinsky at gmail.com
Sun Jan 13 19:59:51 CET 2013


Hi

I've got few patches systematically fixing a number of problems in
SPC, including this one.
Going to send them soon, in a day or two.

Tomo, have you had a chance to look at the previous patches, PGR related?

Alexander


On Sun, Jan 13, 2013 at 4:14 PM, Frediano Ziglio <freddy77 at gmail.com> wrote:
>
> Hi,
>   in spc_inquiry copying a page yor have this code
>
>   data[0] = devtype;
>   data[1] = pcode;
>   data[2] = (vpd_pg->size >> 8);
>   data[3] = vpd_pg->size & 0xff;
>   memcpy(&data[4], vpd_pg->data, vpd_pg->size);
>   len = vpd_pg->size + 4;
>
> however data points to a stack allocated buffer of 256 bytes so if
> vpd_pg->size is > 252 (data copyed from byte 4) you have a possible
> overflow.
> vpd_pg->size is 16 bit and you use entire length just to fill data[2]
> and data[3] so this seems to confirm that size could be quite big.
>
> Happily however pages are all allocate in spc.c code and the size are
> quite small so now it's not exploitable.
>
> I was trying supporting more scsi_id emulations (like NAA).
>
> Frediano
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list