DivestOS/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch

From c38b9d2d38678815745eae28512a03d5e1a3dcf1 Mon Sep 17 00:00:00 2001
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN

The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.

Change-Id: Icbb33a63776954de662eb858ede300fbcb3710f4
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 56178bc..84f5a76 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -959,6 +959,8 @@
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM: