[thirdparty/kernel/stable-queue.git] / releases / 3.14.51 / sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch

From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat, 21 Mar 2015 20:08:18 -0400
Subject: sg_start_req(): make sure that there's not too many elements in iovec

From: Al Viro <viro@zeniv.linux.org.uk>

commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

X-Coverup: TINC (and there's no lumber cartel either)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
 fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
  that function.]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp,
 			md->from_user = 0;
 	}
 
+	if (unlikely(iov_count > UIO_MAXIOV))
+		return -EINVAL;
+
 	if (iov_count) {
 		int len, size = sizeof(struct sg_iovec) * iov_count;
 		struct iovec *iov;
Commit	Line	Data
ecdd314b GKH	1	From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
	2	From: Al Viro <viro@zeniv.linux.org.uk>
	3	Date: Sat, 21 Mar 2015 20:08:18 -0400
	4	Subject: sg_start_req(): make sure that there's not too many elements in iovec
	5
	6	From: Al Viro <viro@zeniv.linux.org.uk>
	7
	8	commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
	9
	10	unfortunately, allowing an arbitrary 16bit value means a possibility of
	11	overflow in the calculation of total number of pages in bio_map_user_iov() -
	12	we rely on there being no more than PAGE_SIZE members of sum in the
	13	first loop there. If that sum wraps around, we end up allocating
	14	too small array of pointers to pages and it's easy to overflow it in
	15	the second loop.
	16
	17	X-Coverup: TINC (and there's no lumber cartel either)
	18	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	19	[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
	20	fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
	21	that function.]
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	drivers/scsi/sg.c \| 3 +++
	26	1 file changed, 3 insertions(+)
	27
	28	--- a/drivers/scsi/sg.c
	29	+++ b/drivers/scsi/sg.c
	30	@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp,
	31	md->from_user = 0;
	32	}
	33
	34	+ if (unlikely(iov_count > UIO_MAXIOV))
	35	+ return -EINVAL;
	36	+
	37	if (iov_count) {
	38	int len, size = sizeof(struct sg_iovec) * iov_count;
	39	struct iovec *iov;