From b72236b4075f96fdaf20c3ffcf7393463644aeeb Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Fri, 21 Jun 2019 13:42:40 +0000 Subject: [PATCH] nandsim: correct test to avoid out-of-bounds access Previously nandsim_chip_status returned EINVAL iff both of user-provided chip->ctrl_num and chip->num were out of bounds. If only one failed the bounds check arbitrary memory would be read and returned. The NAND framework is not built by default, nandsim is not intended for production use (it is a simulator), and the nandsim device has root-only permissions. admbugs: 827 Reported by: Daniel Hodson of elttam MFC after: 3 days Security: kernel information leak or DoS Sponsored by: The FreeBSD Foundation --- sys/dev/nand/nandsim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/dev/nand/nandsim.c b/sys/dev/nand/nandsim.c index 4639a15700a2..50e4f8bb2e33 100644 --- a/sys/dev/nand/nandsim.c +++ b/sys/dev/nand/nandsim.c @@ -295,7 +295,7 @@ nandsim_chip_status(struct sim_chip *chip) nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num, chip->ctrl_num); - if (chip->ctrl_num >= MAX_SIM_DEV && + if (chip->ctrl_num >= MAX_SIM_DEV || chip->num >= MAX_CTRL_CS) return (EINVAL);