Author: emaste
Date: Wed Jul 3 17:34:26 2019
New Revision: 349657
URL: https://svnweb.freebsd.org/changeset/base/349657
Log:
MFC r349268: nandsim: correct test to avoid out-of-bounds access
Previously nandsim_chip_status returned EINVAL iff both of user-provided
chip->ctrl_num and chip->num were out of bounds. If only one failed the
bounds check arbitrary memory would be read and returned.
The NAND framework is not built by default, nandsim is not intended for
production use (it is a simulator), and the nandsim device has root-only
permissions.
admbugs: 827
Reported by: Daniel Hodson of elttam
Security: kernel information leak or DoS
Sponsored by: The FreeBSD Foundation
Modified:
stable/12/sys/dev/nand/nandsim.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/dev/nand/nandsim.c
==============================================================================
--- stable/12/sys/dev/nand/nandsim.c Wed Jul 3 17:24:24 2019
(r349656)
+++ stable/12/sys/dev/nand/nandsim.c Wed Jul 3 17:34:26 2019
(r349657)
@@ -295,7 +295,7 @@ nandsim_chip_status(struct sim_chip *chip)
nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num,
chip->ctrl_num);
- if (chip->ctrl_num >= MAX_SIM_DEV &&
+ if (chip->ctrl_num >= MAX_SIM_DEV ||
chip->num >= MAX_CTRL_CS)
return (EINVAL);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
