diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2016-12-16 13:42:06 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-01-09 08:07:53 +0100 |
| commit | d85727365859108cbcf832c2b3c38358ddc7638b (patch) | |
| tree | 2c30a467ab254d1e2aae3e405d1ac3c6d1de05a9 | |
| parent | 7fb5a936457dff3616644d1725f28002048819f7 (diff) | |
sg_write()/bsg_write() is not fit to be called under KERNEL_DS
commit 128394eff343fc6d2f32172f03e24829539c5835 upstream.
Both damn things interpret userland pointers embedded into the payload;
worse, they are actually traversing those. Leaving aside the bad
API design, this is very much _not_ safe to call with KERNEL_DS.
Bail out early if that happens.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | block/bsg.c | 3 | ||||
| -rw-r--r-- | drivers/scsi/sg.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/block/bsg.c b/block/bsg.c index d214e929ce18..b9a53615bdef 100644 --- a/block/bsg.c +++ b/block/bsg.c @@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) dprintk("%s: write %Zd bytes\n", bd->name, count); + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; + bsg_set_block(bd, file); bytes_written = 0; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index ae7d9bdf409c..a1c29b0afb22 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -592,6 +592,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) sg_io_hdr_t *hp; unsigned char cmnd[SG_MAX_CDB_SIZE]; + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) return -ENXIO; SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, |