From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from youngberry.canonical.com ([91.189.89.112]:35819 "EHLO
	youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754015AbbHJJ00 (ORCPT
	<rfc822;stable@vger.kernel.org>); Mon, 10 Aug 2015 05:26:26 -0400
Date: Mon, 10 Aug 2015 10:26:23 +0100
From: Luis Henriques <luis.henriques@canonical.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 2.6.32-4.0] sg_start_req(): make sure that there's not
 too many elements in iovec
Message-ID: <20150810092623.GD11576@ares>
References: <1438449959.3225.18.camel@decadent.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1438449959.3225.18.camel@decadent.org.uk>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Sat, Aug 01, 2015 at 06:25:59PM +0100, Ben Hutchings wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
> 
> unfortunately, allowing an arbitrary 16bit value means a possibility of
> overflow in the calculation of total number of pages in bio_map_user_iov() -
> we rely on there being no more than PAGE_SIZE members of sum in the
> first loop there.  If that sum wraps around, we end up allocating
> too small array of pointers to pages and it's easy to overflow it in
> the second loop.
> 
> X-Coverup: TINC (and there's no lumber cartel either)
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> [bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
>  fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
>  that function.]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> It looks like this bug was introduced in 2.6.28 by commit 10db10d144c0
> ("sg: convert the indirect IO path to use the block layer"), so the fix
> is needed for all stable branches.
> 
> Ben.

Thanks Ben, queuing it for the 3.16 kernel.

Cheers,
--
Lu�s

> 
>  drivers/scsi/sg.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp,
>  			md->from_user = 0;
>  	}
>  
> +	if (unlikely(iov_count > UIO_MAXIOV))
> +		return -EINVAL;
> +
>  	if (iov_count) {
>  		int len, size = sizeof(struct sg_iovec) * iov_count;
>  		struct iovec *iov;
> -- 
> Ben Hutchings
> One of the nice things about standards is that there are so many of them.
>