debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)

This commit is contained in:
Ben Hutchings 2017-03-29 22:31:24 +01:00
parent 3e739d51e3
commit 2dd2d226ca
3 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -138,6 +138,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
(CVE-2017-7184)
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
* scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
-- Ben Hutchings <ben@decadent.org.uk> Mon, 27 Mar 2017 21:54:36 +0100

29
debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:

1
debian/patches/series vendored
View File

@ -121,6 +121,7 @@ debian/time-mark-timer_stats-as-broken.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch