[SRU Trusty] Close CVE-2017-7187

Stefan Bader stefan.bader at canonical.com
Thu Aug 24 13:32:05 UTC 2017


>From bf33f87dd04c371ea33feb821b60d63d754e3124 Mon Sep 17 00:00:00 2001
From: peter chang <dpf at google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN

The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.

Cc: <stable at vger.kernel.org>
Signed-off-by: Peter Chang <dpf at google.com>
Acked-by: Douglas Gilbert <dgilbert at interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>

CVE-2017-7187

(backported from commit bf33f87dd04c371ea33feb821b60d63d754e3124)
[smb: SG_MAX_CDB_SIZE -> MAX_COMMAND_SIZE]
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
---
 Notes:
 - Strictly speaking this is _not_ needed in Trusty as back then there
   was a size check in sg_write which was removed when introducing
   SG_MAX_CDB_SIZE:
     65c26a0 sg: relax 16 byte cdb restriction
 - Backporting the commit anyway would have the advantage of returning
   the error sooner (when trying to set the next command size).
 - So to resolve the CVE for Trusty we could either update the breaks-
   fix entry or apply the backport.

-Stefan

 drivers/scsi/sg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index e831e01..849ff810 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > MAX_COMMAND_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM:
-- 
2.7.4





More information about the kernel-team mailing list