FreeBSD -- mpr/mps/mpt driver ioctl heap out-of-bounds write
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and
mpt drivers allocated a buffer of a caller-specified size, but
copied to it a fixed size header. Other heap content would be
overwritten if the specified size was too small.
Users with access to the mpr, mps or mpt device node may overwrite
heap data, potentially resulting in privilege escalation. Note that
the device node is only accessible to root and members of the operator
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright