Date: Tue, 21 May 2019 13:47:50 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238023] integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c Message-ID: <bug-238023-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238023 Bug ID: 238023 Summary: integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204511 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204511&action= =3Dedit Proposed patch There is an integer overflow vulnearability in function scsisanitize of sbin/camcontrol/camcontrol.c if ((scsi_get_sks(sense, ccb->csio.sense_le= n - ccb->csio.sense_resid, sks) =3D=3D 0) && (quiet =3D=3D 0)) { int val; u_int64_t percentage; val =3D scsi_2btoul(&sks[1]); percentage =3D 10000 * val; fprintf(stdout, "\rSanitizing: %ju.%02u %%= " "(%d/%d) done", (uintmax_t)(percentage / (0x10000 * 100)), (unsigned)((percentage / 0x10000) % 100), val, 0x10000); fflush(stdout); The type for percentage is u_int64_t, and the type for val is int. Therefore, there would be integer overflow, which is similar to vulnerabili= ty that was fixed in https://github.com/freebsd/freebsd/commit/d1f96a5c3d79da16294b41369da6b5e51= 2c7e8cd. The attachment is the proposed patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238023-227>