Bug #3356
closedArray index error in sys/dev/raid/iir/iir.c
Description
Version¶
latest on branch master in the git repo [[https://github.com/DragonFlyBSD/DragonFlyBSD]]
Description¶
Array index error may occur in int gdt_read_event (int handle,gdt_evt_str *estr)
in sys/dev/raid/iir/iir.c.
If handle is set as a negative integer but not -1, it will be passed to eindex
, which is used in e = &ebuffer[eindex];
at line 1931, which results in an array index error. However, handle isn't constrained by any caller of this function.
The vulnerability bears similarity to CVE-2009-3080, which means it may cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.
CVE Information¶
CVE-2009-3080's description:[[https://nvd.nist.gov/vuln/detail/CVE-2009-3080]]
CVE-2009-3080's patch commit:[[https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0]]