svn commit: r349268 - head/sys/dev/nand
Ed Maste
emaste at FreeBSD.org
Fri Jun 21 13:42:42 UTC 2019
Author: emaste
Date: Fri Jun 21 13:42:40 2019
New Revision: 349268
URL: https://svnweb.freebsd.org/changeset/base/349268
Log:
nandsim: correct test to avoid out-of-bounds access
Previously nandsim_chip_status returned EINVAL iff both of user-provided
chip->ctrl_num and chip->num were out of bounds. If only one failed the
bounds check arbitrary memory would be read and returned.
The NAND framework is not built by default, nandsim is not intended for
production use (it is a simulator), and the nandsim device has root-only
permissions.
admbugs: 827
Reported by: Daniel Hodson of elttam
MFC after: 3 days
Security: kernel information leak or DoS
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/dev/nand/nandsim.c
Modified: head/sys/dev/nand/nandsim.c
==============================================================================
--- head/sys/dev/nand/nandsim.c Fri Jun 21 10:54:51 2019 (r349267)
+++ head/sys/dev/nand/nandsim.c Fri Jun 21 13:42:40 2019 (r349268)
@@ -295,7 +295,7 @@ nandsim_chip_status(struct sim_chip *chip)
nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num,
chip->ctrl_num);
- if (chip->ctrl_num >= MAX_SIM_DEV &&
+ if (chip->ctrl_num >= MAX_SIM_DEV ||
chip->num >= MAX_CTRL_CS)
return (EINVAL);
More information about the svn-src-all
mailing list