Vigil@nce - Linux kernel: integer overflow via SCSI GDT
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the system has an SCSI ICP GDT array disk controller, a local
attacker can use an ioctl with a large parameter, in order to
corrupt the memory.
Severity: 1/4
Creation date: 05/11/2010
DESCRIPTION OF THE VULNERABILITY
The drivers/scsi/gdth.c module implements the support of SCSI ICP
GDT array disk controllers.
The gdth_ioctl_alloc() function allocates memory for ioctls.
However, if the given size is too high, an integer overflow
occurs, and leads to user’s data being written to the kernel
memory.
When the system has an SCSI ICP GDT array disk controller, a local
attacker can therefore use an ioctl with a large parameter, in
order to corrupt the memory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-integer-overflow-via-SCSI-GDT-10107