Linux Kernel SCSI IOCTL Integer Overflow Vulnerability

The Linux Kernel is reported prone to a local integer overflow vulnerability. The issue occurs in the 'sg_scsi_ioctl' function of the 'scsi_ioctl.c' kernel driver.

The vulnerability exists due to a lack of sufficient sanitization performed on user-controlled integer values before these values are employed as the size argument of a user-land to kernel memory copy operation.

This vulnerability may be leveraged to corrupt kernel memory and ultimately execute arbitrary code with ring-0 privileges. Alternatively, the issue may be exploited to trigger a kernel panic or to disclose contents of kernel memory.

It is reported that a user must have access to the respective SCSI devices in order to exploit this issue. This may hinder exploitability.


Privacy Statement
Copyright 2010, SecurityFocus