4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: peter chang <dpf@xxxxxxxxxx> commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@xxxxxxxxxx> Acked-by: Douglas Gilbert <dgilbert@xxxxxxxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/scsi/sg.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int result = get_user(val, ip); if (result) return result; + if (val > SG_MAX_CDB_SIZE) + return -ENOMEM; sfp->next_cmd_len = (val > 0) ? val : 0; return 0; case SG_GET_VERSION_NUM: