[Bug 238023] integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 21 13:47:53 UTC 2019


            Bug ID: 238023
           Summary: integer overflow in scsisanitize in
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 204511
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204511&action=edit
Proposed patch

There is an integer overflow vulnearability in function scsisanitize of

                                if ((scsi_get_sks(sense, ccb->csio.sense_len -
                                     ccb->csio.sense_resid, sks) == 0)
                                 && (quiet == 0)) {
                                        int val;
                                        u_int64_t percentage;

                                        val = scsi_2btoul(&sks[1]);
                                        percentage = 10000 * val;

                                                "\rSanitizing:  %ju.%02u %% "
                                                "(%d/%d) done",
                                                (uintmax_t)(percentage /
                                                (0x10000 * 100)),
                                                (unsigned)((percentage /
                                                0x10000) % 100),
                                                val, 0x10000);

The type for percentage is u_int64_t, and the type for val is int.
Therefore, there would be integer overflow, which is similar to vulnerability
that was fixed in

The attachment is the proposed patch.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list