On Sat, Aug 01, 2015 at 06:25:59PM +0100, Ben Hutchings wrote:
> From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
>
> commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
>
> unfortunately, allowing an arbitrary 16bit value means a possibility of
> overflow in the calculation of total number of pages in bio_map_user_iov() -
> we rely on there being no more than PAGE_SIZE members of sum in the
> first loop there. If that sum wraps around, we end up allocating
> too small array of pointers to pages and it's easy to overflow it in
> the second loop.
>
> X-Coverup: TINC (and there's no lumber cartel either)
> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> [bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
> fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
> that function.]
> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> ---
> It looks like this bug was introduced in 2.6.28 by commit 10db10d144c0
> ("sg: convert the indirect IO path to use the block layer"), so the fix
> is needed for all stable branches.
>
> Ben.
Thanks Ben, queuing it for the 3.16 kernel.
Cheers,
--
Luís
>
> drivers/scsi/sg.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp,
> md->from_user = 0;
> }
>
> + if (unlikely(iov_count > UIO_MAXIOV))
> + return -EINVAL;
> +
> if (iov_count) {
> int len, size = sizeof(struct sg_iovec) * iov_count;
> struct iovec *iov;
> --
> Ben Hutchings
> One of the nice things about standards is that there are so many of them.
>
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html