diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2017-02-19 10:15:27 +0300 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-03-16 05:27:15 +0300 |
| commit | 41abcae496e15402bb2df9bc6d52523e47ca2a2d (patch) | |
| tree | 3fb7944a6818e7992d556c4f045d29b9765e374a /drivers/scsi/sg.c | |
| parent | e5ca28d1c3ea23fab9f1e0b2e32aa75dd2e6832c (diff) | |
| download | linux-41abcae496e15402bb2df9bc6d52523e47ca2a2d.tar.xz | |
Fix missing sanity check in /dev/sg
commit 137d01df511b3afe1f05499aea05f3bafc0fb221 upstream.
What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len. Or with ->dxferp pointing
to an array full of empty iovecs.
Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...
Found by Dmitry Vyukov and syzkaller.
[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
underlying issue. - Linus ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: we're not using iov_iter, but can check the
byte length after truncation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers/scsi/sg.c')
| -rw-r--r-- | drivers/scsi/sg.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index b4d50662fc6f..0206b495b65e 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1716,6 +1716,10 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) iov_count = iov_shorten(iov, iov_count, hp->dxfer_len); len = hp->dxfer_len; } + if (len == 0) { + kfree(iov); + return -EINVAL; + } res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov, iov_count, |