[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Linux kernel: information disclosure in stex_queuecommand_lck
From: Xingyuan Mo <hdthky0 () gmail ! com>
Date: 2022-09-19 7:46:35
Message-ID: CALV6CNMWFmWc9O9qL8FBxdrNs79foRYgVZTuvvxYLR80WA8qew () mail ! gmail ! com
[Download RAW message or body]
CVE-2022-40768 has been assigned to this issue.
Thanks,
Xingyuan Mo
On Fri, Sep 9, 2022 at 12:52 PM Xingyuan Mo <hdthky0@gmail.com> wrote:
>
> Hello,
>
> We found an information disclosure vulnerability in stex_queuecommand_lck() in
> drivers/scsi/stex.c through linux v6.0-rc4 which allows an attacker to disclose
> sensitive information such as kernel space address.
>
> This issue can be fixed with the following patch:
> https://lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org/
>
> =*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=
>
> In drivers/scsi/stex.c:
> 666: case PASSTHRU_CMD:
> 667: if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) {
> 668: struct st_drvver ver;
> 669: size_t cp_len = sizeof(ver);
> 670:
> 671: ver.major = ST_VER_MAJOR;
> 672: ver.minor = ST_VER_MINOR;
> 673: ver.oem = ST_OEM;
> 674: ver.build = ST_BUILD_VER;
> 675: ver.signature[0] = PASSTHRU_SIGNATURE;
> 676: ver.console_id = host->max_id - 1;
> 677: ver.host_no = hba->host->host_no;
> 678: cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len);
> 679: if (sizeof(ver) == cp_len)
> 680: cmd->result = DID_OK << 16;
> 681: else
> 682: cmd->result = DID_ERROR << 16;
> 683: done(cmd);
> 684: return 0;
> 685: }
> 686: break;
>
> The variable ver is declared off of the stack, but not zeroed out before copied
> back to user space, resulting in sensitive information disclosure.
>
> =*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*=
>
> 2022-09-08: bug reported
> 2022-09-08: patch released
>
> =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*=
>
> Xingyuan Mo (@hdthky) and Gengjia Chen (@chengjia4574) of IceSword Lab, 360
>
>
> Best Regards,
> Xingyuan Mo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic