From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40406 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751244AbbEBO1A (ORCPT ); Sat, 2 May 2015 10:27:00 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 41A4B20A03 for ; Sat, 2 May 2015 10:27:00 -0400 (EDT) Subject: FAILED: patch "[PATCH] sg_start_req(): make sure that there's not too many elements" failed to apply to 3.10-stable tree To: viro@zeniv.linux.org.uk Cc: From: Date: Sat, 02 May 2015 16:26:54 +0200 Message-ID: <143057681460179@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: The patch below does not apply to the 3.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >>From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 21 Mar 2015 20:08:18 -0400 Subject: [PATCH] sg_start_req(): make sure that there's not too many elements in iovec unfortunately, allowing an arbitrary 16bit value means a possibility of overflow in the calculation of total number of pages in bio_map_user_iov() - we rely on there being no more than PAGE_SIZE members of sum in the first loop there. If that sum wraps around, we end up allocating too small array of pointers to pages and it's easy to overflow it in the second loop. X-Coverup: TINC (and there's no lumber cartel either) Cc: stable@vger.kernel.org # way, way back Signed-off-by: Al Viro diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index d383f84869aa..b5a4db883223 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1744,6 +1744,9 @@ sg_start_req(Sg_request *srp, unsigned char *cmd) md->from_user = 0; } + if (unlikely(iov_count > MAX_UIOVEC)) + return -EINVAL; + if (iov_count) { int size = sizeof(struct iovec) * iov_count; struct iovec *iov;