mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-20 21:34:24 -05:00
37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
|
From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
|
||
|
From: Al Viro <viro@zeniv.linux.org.uk>
|
||
|
Date: Sat, 21 Mar 2015 20:08:18 -0400
|
||
|
Subject: sg_start_req(): make sure that there's not too many elements in iovec
|
||
|
|
||
|
unfortunately, allowing an arbitrary 16bit value means a possibility of
|
||
|
overflow in the calculation of total number of pages in bio_map_user_iov() -
|
||
|
we rely on there being no more than PAGE_SIZE members of sum in the
|
||
|
first loop there. If that sum wraps around, we end up allocating
|
||
|
too small array of pointers to pages and it's easy to overflow it in
|
||
|
the second loop.
|
||
|
|
||
|
X-Coverup: TINC (and there's no lumber cartel either)
|
||
|
Cc: stable@vger.kernel.org # way, way back
|
||
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||
|
---
|
||
|
drivers/scsi/sg.c | 3 +++
|
||
|
1 file changed, 3 insertions(+)
|
||
|
|
||
|
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||
|
index d383f84..b5a4db8 100644
|
||
|
--- a/drivers/scsi/sg.c
|
||
|
+++ b/drivers/scsi/sg.c
|
||
|
@@ -1744,6 +1744,9 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
|
||
|
md->from_user = 0;
|
||
|
}
|
||
|
|
||
|
+ if (unlikely(iov_count > MAX_UIOVEC))
|
||
|
+ return -EINVAL;
|
||
|
+
|
||
|
if (iov_count) {
|
||
|
int size = sizeof(struct iovec) * iov_count;
|
||
|
struct iovec *iov;
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|