* [patch] check length passed to SG_NEXT_CMD_LEN
@ 2017-03-02 18:29 Peter Chang
2017-03-03 7:17 ` Dmitry Vyukov
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Peter Chang @ 2017-03-02 18:29 UTC (permalink / raw)
To: linux-scsi@vger.kernel.org, Dmitry Vyukov
[-- Attachment #1: Type: text/plain, Size: 70 bytes --]
now that i think i've got gmail not marking everything as spam...
\p
[-- Attachment #2: 0001-sg-check-length-passed-to-SG_NEXT_CMD_LEN.patch --]
[-- Type: text/x-patch, Size: 996 bytes --]
From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.
Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
--
2.12.0.rc1.440.g5b76565f74-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [patch] check length passed to SG_NEXT_CMD_LEN
2017-03-02 18:29 [patch] check length passed to SG_NEXT_CMD_LEN Peter Chang
@ 2017-03-03 7:17 ` Dmitry Vyukov
2017-03-15 23:38 ` Martin K. Petersen
2017-03-16 23:48 ` Martin K. Petersen
2 siblings, 0 replies; 7+ messages in thread
From: Dmitry Vyukov @ 2017-03-03 7:17 UTC (permalink / raw)
To: Peter Chang; +Cc: linux-scsi@vger.kernel.org, syzkaller
[-- Attachment #1: Type: text/plain, Size: 214 bytes --]
On Thu, Mar 2, 2017 at 7:29 PM, Peter Chang <dpf@google.com> wrote:
> now that i think i've got gmail not marking everything as spam...
+syzkaller mailing list as this does not seem to appear anywhere on open web
[-- Attachment #2: 0001-sg-check-length-passed-to-SG_NEXT_CMD_LEN.patch --]
[-- Type: text/x-patch, Size: 996 bytes --]
From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.
Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
--
2.12.0.rc1.440.g5b76565f74-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [patch] check length passed to SG_NEXT_CMD_LEN
2017-03-02 18:29 [patch] check length passed to SG_NEXT_CMD_LEN Peter Chang
2017-03-03 7:17 ` Dmitry Vyukov
@ 2017-03-15 23:38 ` Martin K. Petersen
2017-03-16 18:24 ` Douglas Gilbert
2017-03-16 23:48 ` Martin K. Petersen
2 siblings, 1 reply; 7+ messages in thread
From: Martin K. Petersen @ 2017-03-15 23:38 UTC (permalink / raw)
To: Douglas Gilbert; +Cc: Peter Chang, linux-scsi@vger.kernel.org, Dmitry Vyukov
Peter Chang <dpf@google.com> writes:
> now that i think i've got gmail not marking everything as spam...
Doug?
>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.
Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
--
2.12.0.rc1.440.g5b76565f74-goog
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [patch] check length passed to SG_NEXT_CMD_LEN
2017-03-15 23:38 ` Martin K. Petersen
@ 2017-03-16 18:24 ` Douglas Gilbert
0 siblings, 0 replies; 7+ messages in thread
From: Douglas Gilbert @ 2017-03-16 18:24 UTC (permalink / raw)
To: Martin K. Petersen; +Cc: Peter Chang, linux-scsi@vger.kernel.org, Dmitry Vyukov
On 2017-03-15 07:38 PM, Martin K. Petersen wrote:
> Peter Chang <dpf@google.com> writes:
>
>> now that i think i've got gmail not marking everything as spam...
>
> Doug?
The extra sanity check can't hurt.
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
>
>>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
> From: peter chang <dpf@google.com>
> Date: Wed, 15 Feb 2017 14:11:54 -0800
> Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
>
> the user can control the size of the next command passed along, but
> the value passed to the ioctl isn't checked against the usable
> max command size.
>
> Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
> Tested: sanity checked w/ calling the ioctl w/ a bogus size
> ---
> drivers/scsi/sg.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 9c5c5f2b3962..b47a369cb71c 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
> result = get_user(val, ip);
> if (result)
> return result;
> + if (val > SG_MAX_CDB_SIZE)
> + return -ENOMEM;
> sfp->next_cmd_len = (val > 0) ? val : 0;
> return 0;
> case SG_GET_VERSION_NUM:
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch] check length passed to SG_NEXT_CMD_LEN
2017-03-02 18:29 [patch] check length passed to SG_NEXT_CMD_LEN Peter Chang
2017-03-03 7:17 ` Dmitry Vyukov
2017-03-15 23:38 ` Martin K. Petersen
@ 2017-03-16 23:48 ` Martin K. Petersen
2017-03-17 8:16 ` Dmitry Vyukov
2 siblings, 1 reply; 7+ messages in thread
From: Martin K. Petersen @ 2017-03-16 23:48 UTC (permalink / raw)
To: Peter Chang; +Cc: linux-scsi@vger.kernel.org, Dmitry Vyukov
Peter Chang <dpf@google.com> writes:
Applied to 4.11/scsi-fixes.
Thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-03-19 17:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-02 18:29 [patch] check length passed to SG_NEXT_CMD_LEN Peter Chang
2017-03-03 7:17 ` Dmitry Vyukov
2017-03-15 23:38 ` Martin K. Petersen
2017-03-16 18:24 ` Douglas Gilbert
2017-03-16 23:48 ` Martin K. Petersen
2017-03-17 8:16 ` Dmitry Vyukov
2017-03-19 17:20 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.