[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] Linux Kernel: out of bounds array access in dm-ioctl.c


We found an out of bounds array accessing bug in drivers/md/dm-ioctl.c, and
reproduced it in the latest kernel (v5.11.10).

The root cause of this BUG is :

The field "data_size" in function ctl_ioctl is fully controlled by users
and this argument controls the size of kvmalloc in function copy_params.

When the data_size is in a range of [0x131,0x138], the allocated memory
which is pointed by the variable "param" used in ioctl
"DM_LIST_DEVICES_CMD" is too small, causing an oob bug at line "nl->dev =
0; /* Flags no data */" (

Attachments are the poc, kernel config and Kernel report.

The patch:
     * Grab our output buffer.
     nl = orig_nl = get_result_buffer(param, param_size, &len);
-    if (len < needed) {
+    if (len < needed || len < sizeof(nl->dev)) {
         param->flags |= DM_BUFFER_FULL_FLAG;
         goto out;

Bodong Zhao of NISL lab, Tsinghua University