[Bug 238023] integer overflow in scsisanitize in sbin/camcontrol/camcontrol.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 21 13:47:53 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238023
Bug ID: 238023
Summary: integer overflow in scsisanitize in
sbin/camcontrol/camcontrol.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
Created attachment 204511
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204511&action=edit
Proposed patch
There is an integer overflow vulnearability in function scsisanitize of
sbin/camcontrol/camcontrol.c
if ((scsi_get_sks(sense, ccb->csio.sense_len -
ccb->csio.sense_resid, sks) == 0)
&& (quiet == 0)) {
int val;
u_int64_t percentage;
val = scsi_2btoul(&sks[1]);
percentage = 10000 * val;
fprintf(stdout,
"\rSanitizing: %ju.%02u %% "
"(%d/%d) done",
(uintmax_t)(percentage /
(0x10000 * 100)),
(unsigned)((percentage /
0x10000) % 100),
val, 0x10000);
fflush(stdout);
The type for percentage is u_int64_t, and the type for val is int.
Therefore, there would be integer overflow, which is similar to vulnerability
that was fixed in
https://github.com/freebsd/freebsd/commit/d1f96a5c3d79da16294b41369da6b5e512c7e8cd.
The attachment is the proposed patch.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list