[DragonFlyBSD - Bug #3356] Array index error in sys/dev/raid/iir/iir.c
bugtracker-admin at leaf.dragonflybsd.org
bugtracker-admin at leaf.dragonflybsd.org
Tue Aug 29 19:42:10 PDT 2023
Issue #3356 has been updated by ChenHaoLu.
Shall we apply for a CVE for this security issue?
----------------------------------------
Bug #3356: Array index error in sys/dev/raid/iir/iir.c
http://bugs.dragonflybsd.org/issues/3356#change-14522
* Author: ChenHaoLu
* Status: Closed
* Priority: High
* Assignee: tuxillo
* Target version: 6.6
* Start date: 2023-08-28
----------------------------------------
h3. Version
latest on branch master in the git repo [[https://github.com/DragonFlyBSD/DragonFlyBSD]]
h3. Description
Array index error may occur in @int gdt_read_event (int handle,gdt_evt_str *estr)@ in sys/dev/raid/iir/iir.c.
If handle is set as a negative integer but not -1, it will be passed to @eindex@ , which is used in @e = &ebuffer[eindex];@ at line 1931, which results in an array index error. However, handle isn't constrained by any caller of this function.
The vulnerability bears similarity to CVE-2009-3080, which means it may cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.
h3. CVE Information
CVE-2009-3080's description:[[https://nvd.nist.gov/vuln/detail/CVE-2009-3080]]
CVE-2009-3080's patch commit:[[https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0]]
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
More information about the Bugs
mailing list