oss-sec link

The Bug

While doing some static analysis on the Linux kernel, I found a interesting heap overflow. Even if I don’t have the hardware to trigger it, I reported it, and a patch was already provided after half an hour! Kudos to the maintainer from Oracle.

2390                 unsigned char *ver_addr;
2391                 int32_t user_len, cnt2end;
2392                 uint8_t *pQbuffer, *ptmpuserbuffer;
2393                 ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
2394                 if (!ver_addr) {
2395                         retvalue = ARCMSR_MESSAGE_FAIL;
2396                         goto message_out;
2397                 }
2398                 ptmpuserbuffer = ver_addr;
2399                 user_len = pcmdmessagefld->cmdmessage.Length;
2400                 memcpy(ptmpuserbuffer,
2401                         pcmdmessagefld->messagedatabuffer, user_len);

The issue is quite simple.

The int32_t user_len is taken directly from the scsi command at line 2399 and it’s passed directly to the following memcpy on lines 2400-2401. The destination buffer is allocated few lines before on the heap and it has a fixed size of 1032. Since the user_len is unbounded, a kernel heap overflow can happen.

You can check the code here also.