While doing some static analysis on the Linux kernel, I found a interesting heap overflow. Even if I don’t have the hardware to trigger it, I reported it, and a patch was already provided after half an hour! Kudos to the maintainer from Oracle.
The issue is quite simple.
int32_t user_len is taken directly from the scsi command at line
2399 and it’s passed directly to the following memcpy on lines
The destination buffer is allocated few lines before on the heap and it has a fixed size of
user_len is unbounded, a kernel heap overflow can happen.
You can check the code here also.