Headline
CVE-2018-8822: [PATCH] ncpfs: memory corruption in ncp_read_kernel()
Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.
If the server is malicious then *bytes_read could be larger than the size of the “target” buffer. It would lead to memory corruption when we do the memcpy().
Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare silvio.ces…@gmail.com Signed-off-by: Dan Carpenter dan.carpen…@oracle.com
diff --git a/drivers/staging/ncpfs/ncplib_kernel.c b/drivers/staging/ncpfs/ncplib_kernel.c index 804adfebba2f…3e047eb4cc7c 100644 — a/drivers/staging/ncpfs/ncplib_kernel.c +++ b/drivers/staging/ncpfs/ncplib_kernel.c @@ -981,6 +981,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, goto out; } *bytes_read = ncp_reply_be16(server, 0);
if (\*bytes\_read > to\_read) {result = -EINVAL;goto out;} source = ncp\_reply\_data(server, 2 + (offset & 1)); memcpy(target, source, \*bytes\_read);