scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
This commit is contained in:
parent
3e739d51e3
commit
2dd2d226ca
|
@ -138,6 +138,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
|
|||
* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
|
||||
(CVE-2017-7184)
|
||||
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
|
||||
* scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 27 Mar 2017 21:54:36 +0100
|
||||
|
||||
|
|
29
debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
vendored
Normal file
29
debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
vendored
Normal file
|
@ -0,0 +1,29 @@
|
|||
From: peter chang <dpf@google.com>
|
||||
Date: Wed, 15 Feb 2017 14:11:54 -0800
|
||||
Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
|
||||
|
||||
The user can control the size of the next command passed along, but the
|
||||
value passed to the ioctl isn't checked against the usable max command
|
||||
size.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Chang <dpf@google.com>
|
||||
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/scsi/sg.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
|
||||
result = get_user(val, ip);
|
||||
if (result)
|
||||
return result;
|
||||
+ if (val > SG_MAX_CDB_SIZE)
|
||||
+ return -ENOMEM;
|
||||
sfp->next_cmd_len = (val > 0) ? val : 0;
|
||||
return 0;
|
||||
case SG_GET_VERSION_NUM:
|
|
@ -121,6 +121,7 @@ debian/time-mark-timer_stats-as-broken.patch
|
|||
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
|
||||
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue