Project

General

Profile

Actions
Copy link

Bug #3356

closed

Array index error in sys/dev/raid/iir/iir.c

Added by ChenHaoLu about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
High
Assignee:
tuxillo
Category:
-
Target version:
6.6
Start date:
08/28/2023
Due date:
% Done:

0%

Estimated time:

Description

Version

latest on branch master in the git repo [[https://github.com/DragonFlyBSD/DragonFlyBSD]]

Description

Array index error may occur in int gdt_read_event (int handle,gdt_evt_str *estr) in sys/dev/raid/iir/iir.c.

If handle is set as a negative integer but not -1, it will be passed to eindex , which is used in e = &ebuffer[eindex]; at line 1931, which results in an array index error. However, handle isn't constrained by any caller of this function.

The vulnerability bears similarity to CVE-2009-3080, which means it may cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

CVE Information

CVE-2009-3080's description:[[https://nvd.nist.gov/vuln/detail/CVE-2009-3080]]
CVE-2009-3080's patch commit:[[https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0]]

Actions
Copy link
 #1

Updated by tuxillo about 1 year ago

  • Status changed from New to Closed
  • Assignee set to tuxillo
  • Target version changed from Unverifiable to 6.6

Fixed in 9237ab75

Sorry we missed the credits :(

Actions
Copy link
 #2

Updated by ChenHaoLu about 1 year ago

Shall we apply for a CVE for this security issue?

Actions
Copy link
 #3

Updated by tuxillo about 1 year ago

I don't think it's necessary for now.

Actions
Copy link

Also available in: Atom PDF