From: "Martin K. Petersen" <martin.petersen@oracle.com>
To: Douglas Gilbert <dgilbert@interlog.com>
Cc: Peter Chang <dpf@google.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [patch] check length passed to SG_NEXT_CMD_LEN
Date: Wed, 15 Mar 2017 19:38:17 -0400 [thread overview]
Message-ID: <yq1zigmf6vq.fsf@oracle.com> (raw)
In-Reply-To: <CAF2xp_GW8KwyD9AuZjHFoPtiNdRyPQ27+1jDLEJjuKxci3mU6w@mail.gmail.com> (Peter Chang's message of "Thu, 2 Mar 2017 10:29:39 -0800")
Peter Chang <dpf@google.com> writes:
> now that i think i've got gmail not marking everything as spam...
Doug?
>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.
Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
--
2.12.0.rc1.440.g5b76565f74-goog
--
Martin K. Petersen Oracle Linux Engineering
next prev parent reply other threads:[~2017-03-15 23:38 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 18:29 [patch] check length passed to SG_NEXT_CMD_LEN Peter Chang
2017-03-03 7:17 ` Dmitry Vyukov
2017-03-15 23:38 ` Martin K. Petersen [this message]
2017-03-16 18:24 ` Douglas Gilbert
2017-03-16 23:48 ` Martin K. Petersen
2017-03-17 8:16 ` Dmitry Vyukov
2017-03-19 17:20 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq1zigmf6vq.fsf@oracle.com \
--to=martin.petersen@oracle.com \
--cc=dgilbert@interlog.com \
--cc=dpf@google.com \
--cc=dvyukov@google.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.