]>
Commit | Line | Data |
---|---|---|
ecdd314b GKH |
1 | From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001 |
2 | From: Al Viro <viro@zeniv.linux.org.uk> | |
3 | Date: Sat, 21 Mar 2015 20:08:18 -0400 | |
4 | Subject: sg_start_req(): make sure that there's not too many elements in iovec | |
5 | ||
6 | From: Al Viro <viro@zeniv.linux.org.uk> | |
7 | ||
8 | commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream. | |
9 | ||
10 | unfortunately, allowing an arbitrary 16bit value means a possibility of | |
11 | overflow in the calculation of total number of pages in bio_map_user_iov() - | |
12 | we rely on there being no more than PAGE_SIZE members of sum in the | |
13 | first loop there. If that sum wraps around, we end up allocating | |
14 | too small array of pointers to pages and it's easy to overflow it in | |
15 | the second loop. | |
16 | ||
17 | X-Coverup: TINC (and there's no lumber cartel either) | |
18 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | |
19 | [bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit | |
20 | fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have | |
21 | that function.] | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | drivers/scsi/sg.c | 3 +++ | |
26 | 1 file changed, 3 insertions(+) | |
27 | ||
28 | --- a/drivers/scsi/sg.c | |
29 | +++ b/drivers/scsi/sg.c | |
30 | @@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, | |
31 | md->from_user = 0; | |
32 | } | |
33 | ||
34 | + if (unlikely(iov_count > UIO_MAXIOV)) | |
35 | + return -EINVAL; | |
36 | + | |
37 | if (iov_count) { | |
38 | int len, size = sizeof(struct sg_iovec) * iov_count; | |
39 | struct iovec *iov; |