lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Mar 2017 11:46:10 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "Dmitry Vyukov" <dvyukov@...gle.com>,
        "Linus Torvalds" <torvalds@...ux-foundation.org>,
        "Christoph Hellwig" <hch@....de>,
        "Al Viro" <viro@...IV.linux.org.uk>,
        "Al Viro" <viro@...iv.linux.org.uk>
Subject: [PATCH 3.2 154/199] Fix missing sanity check in /dev/sg

3.2.87-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@...IV.linux.org.uk>

commit 137d01df511b3afe1f05499aea05f3bafc0fb221 upstream.

What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len.  Or with ->dxferp pointing
to an array full of empty iovecs.

Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...

Found by Dmitry Vyukov and syzkaller.

[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
  underlying issue.  - Linus ]

Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Reviewed-by: Christoph Hellwig <hch@....de>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
[bwh: Backported to 3.2: we're not using iov_iter, but can check the
 byte length after truncation]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 drivers/scsi/sg.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1710,6 +1710,10 @@ static int sg_start_req(Sg_request *srp,
 			iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
 			len = hp->dxfer_len;
 		}
+		if (len == 0) {
+			kfree(iov);
+			return -EINVAL;
+		}
 
 		res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
 					  iov_count,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ