[DragonFlyBSD - Bug #3356] Array index error in sys/dev/raid/iir/iir.c

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Tue Aug 29 19:42:10 PDT 2023


Issue #3356 has been updated by ChenHaoLu.


Shall we apply for a CVE for this security issue?

----------------------------------------
Bug #3356: Array index error in sys/dev/raid/iir/iir.c
http://bugs.dragonflybsd.org/issues/3356#change-14522

* Author: ChenHaoLu
* Status: Closed
* Priority: High
* Assignee: tuxillo
* Target version: 6.6
* Start date: 2023-08-28
----------------------------------------
h3. Version

latest on branch master in the git repo [[https://github.com/DragonFlyBSD/DragonFlyBSD]]

h3. Description


Array index error may occur in @int gdt_read_event (int handle,gdt_evt_str *estr)@ in sys/dev/raid/iir/iir.c.

If handle is set as a negative integer but not -1, it will be passed to @eindex@ , which is used in @e = &ebuffer[eindex];@ at line 1931, which results in an array index error. However, handle isn't constrained by any caller of this function.

The vulnerability bears similarity to CVE-2009-3080, which means it may cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

h3. CVE Information

CVE-2009-3080's description:[[https://nvd.nist.gov/vuln/detail/CVE-2009-3080]]
CVE-2009-3080's patch commit:[[https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0]]



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account


More information about the Bugs mailing list