scsi: sg: check length passed to SG_NEXT_CMD_LEN

BugLink: http://bugs.launchpad.net/bugs/1681862 commit bf33f87d upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

scsi: sg: check length passed to SG_NEXT_CMD_LEN
BugLink: http://bugs.launchpad.net/bugs/1681862 commit bf33f87d upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
bff00b11 · peter chang · Thadeu Lima de Souza Cascardo · 2e32d2aa · bff00b11
Commit bff00b11 authored Feb 15, 2017 by peter chang Committed by Thadeu Lima de Souza Cascardo Apr 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

drivers/scsi/sg.c drivers/scsi/sg.c +2 -0

No files found.
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1008,6 +1008,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM: