[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1489146383.529798066@decadent.org.uk>
Date: Fri, 10 Mar 2017 11:46:23 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "Christoph Hellwig" <hch@....de>,
"Linus Torvalds" <torvalds@...ux-foundation.org>,
"Dmitry Vyukov" <dvyukov@...gle.com>,
"Al Viro" <viro@...IV.linux.org.uk>,
"Al Viro" <viro@...iv.linux.org.uk>
Subject: [PATCH 3.16 307/370] Fix missing sanity check in /dev/sg
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@...IV.linux.org.uk>
commit 137d01df511b3afe1f05499aea05f3bafc0fb221 upstream.
What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len. Or with ->dxferp pointing
to an array full of empty iovecs.
Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...
Found by Dmitry Vyukov and syzkaller.
[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
underlying issue. - Linus ]
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Reviewed-by: Christoph Hellwig <hch@....de>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
[bwh: Backported to 3.16: we're not using iov_iter, but can check the
byte length after truncation]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
drivers/scsi/sg.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1716,6 +1716,10 @@ static int sg_start_req(Sg_request *srp,
iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
len = hp->dxfer_len;
}
+ if (len == 0) {
+ kfree(iov);
+ return -EINVAL;
+ }
res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
iov_count,
Powered by blists - more mailing lists