DivestOS/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch

30 lines
953 B
Diff
Raw Normal View History

2017-11-07 22:03:58 -05:00
From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001
2017-11-07 17:32:46 -05:00
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
2017-11-07 22:03:58 -05:00
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
2017-11-07 17:32:46 -05:00
The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.
2017-11-07 22:03:58 -05:00
Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c
2017-11-07 17:32:46 -05:00
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
2017-11-07 22:03:58 -05:00
index 96d635e..4a6b13b 100644
2017-11-07 17:32:46 -05:00
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
2017-11-07 22:03:58 -05:00
@@ -978,6 +978,8 @@
2017-11-07 17:32:46 -05:00
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM: