Date: Tue, 21 May 2019 13:47:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238023] integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c Message-ID: <bug-238023-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238023 Bug ID: 238023 Summary: integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204511 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204511&action=edit Proposed patch There is an integer overflow vulnearability in function scsisanitize of sbin/camcontrol/camcontrol.c if ((scsi_get_sks(sense, ccb->csio.sense_len - ccb->csio.sense_resid, sks) == 0) && (quiet == 0)) { int val; u_int64_t percentage; val = scsi_2btoul(&sks[1]); percentage = 10000 * val; fprintf(stdout, "\rSanitizing: %ju.%02u %% " "(%d/%d) done", (uintmax_t)(percentage / (0x10000 * 100)), (unsigned)((percentage / 0x10000) % 100), val, 0x10000); fflush(stdout); The type for percentage is u_int64_t, and the type for val is int. Therefore, there would be integer overflow, which is similar to vulnerability that was fixed in https://github.com/freebsd/freebsd/commit/d1f96a5c3d79da16294b41369da6b5e512c7e8cd. The attachment is the proposed patch. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238023-227>