[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel < 4.14.111 drivers/message/fusion/mptscsih.c kernel address dumps to use
From:       Fuqian Huang <huangfq.daxian () gmail ! com>
Date:       2019-04-18 13:32:54
Message-ID: CABXRUiQuyKO0DcAkODv6k-e5LLDu-D_8g6KOw4Xr1ZpuDSh2mw () mail ! gmail ! com
[Download RAW message or body]

In drivers/message/fusion/mptscsih.c:1701
and drivers/message/fusion/mptscsih.c:1786,
mptscsih_abort will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_abort(struct scsi_cmnd * SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting task abort! (sc=%p)\n",
           ioc->name, SCpnt);
    ...
 out:
    printk(MYIOC_s_INFO_FMT "task abort: %s (rv=%04x) (sc=%p)\n",
        ioc->name, ((retval == SUCCESS) ? "SUCCESS" : "FAILED"), retval,
        SCpnt);
    ...
}

In drivers/message/fusion/mptscsih.c:1819
and drivers/message/fusion/mptscsih.c:1843,
mptscsih_dev_reset will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_dev_reset(struct scsi_cmnd *SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting target reset! (sc=%p)\n",
           ioc->name, SCpnt);
    ...
 out:
    printk (MYIOC_s_INFO_FMT "target reset: %s (sc=%p)\n",
        ioc->name, ((retval == 0) ? "SUCCESS" : "FAILED" ), SCpnt);
    ...
}

In drivers/message/fusion/mptscsih.c:1931
and drivers/message/fusion/mptscsih.c:1943,
mptscsih_host_reset will dump the address of SCpnt into dmesg,
which allows local user to read the kernel address via dmesg.

int
mptscsih_host_reset(struct scsi_cmnd *SCpnt)
{
    ...
    printk(MYIOC_s_INFO_FMT "attempting host reset! (sc=%p)\n",
        ioc->name, SCpnt);
    ...
    printk(MYIOC_s_INFO_FMT "host reset: %s (sc=%p)\n",
        ioc->name, ((retval == 0) ? "SUCCESS" : "FAILED" ), SCpnt);
    ...
}
[prev in list] [next in list] [prev in thread] [next in thread]