Date: Fri, 21 Jun 2019 13:42:41 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349268 - head/sys/dev/nand Message-ID: <201906211342.x5LDgfWA066787@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Fri Jun 21 13:42:40 2019 New Revision: 349268 URL: https://svnweb.freebsd.org/changeset/base/349268 Log: nandsim: correct test to avoid out-of-bounds access Previously nandsim_chip_status returned EINVAL iff both of user-provided chip->ctrl_num and chip->num were out of bounds. If only one failed the bounds check arbitrary memory would be read and returned. The NAND framework is not built by default, nandsim is not intended for production use (it is a simulator), and the nandsim device has root-only permissions. admbugs: 827 Reported by: Daniel Hodson of elttam MFC after: 3 days Security: kernel information leak or DoS Sponsored by: The FreeBSD Foundation Modified: head/sys/dev/nand/nandsim.c Modified: head/sys/dev/nand/nandsim.c ============================================================================== --- head/sys/dev/nand/nandsim.c Fri Jun 21 10:54:51 2019 (r349267) +++ head/sys/dev/nand/nandsim.c Fri Jun 21 13:42:40 2019 (r349268) @@ -295,7 +295,7 @@ nandsim_chip_status(struct sim_chip *chip) nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num, chip->ctrl_num); - if (chip->ctrl_num >= MAX_SIM_DEV && + if (chip->ctrl_num >= MAX_SIM_DEV || chip->num >= MAX_CTRL_CS) return (EINVAL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906211342.x5LDgfWA066787>