DivestOS/Patches/Linux_CVEs/CVE-2015-5707/ANY/0.patch
2017-10-29 22:14:37 -04:00

37 lines
1.2 KiB
Diff

From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat, 21 Mar 2015 20:08:18 -0400
Subject: sg_start_req(): make sure that there's not too many elements in iovec
unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there. If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
drivers/scsi/sg.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d383f84..b5a4db8 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1744,6 +1744,9 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
md->from_user = 0;
}
+ if (unlikely(iov_count > MAX_UIOVEC))
+ return -EINVAL;
+
if (iov_count) {
int size = sizeof(struct iovec) * iov_count;
struct iovec *iov;
--
cgit v1.1