ACK: [SRU Trusty] Close CVE-2017-7187
Kleber Souza
kleber.souza at canonical.com
Thu Aug 24 13:59:04 UTC 2017
On 08/24/17 15:32, Stefan Bader wrote:
> From bf33f87dd04c371ea33feb821b60d63d754e3124 Mon Sep 17 00:00:00 2001
> From: peter chang <dpf at google.com>
> Date: Wed, 15 Feb 2017 14:11:54 -0800
> Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
>
> The user can control the size of the next command passed along, but the
> value passed to the ioctl isn't checked against the usable max command
> size.
>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Peter Chang <dpf at google.com>
> Acked-by: Douglas Gilbert <dgilbert at interlog.com>
> Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
>
> CVE-2017-7187
>
> (backported from commit bf33f87dd04c371ea33feb821b60d63d754e3124)
> [smb: SG_MAX_CDB_SIZE -> MAX_COMMAND_SIZE]
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
> Notes:
> - Strictly speaking this is _not_ needed in Trusty as back then there
> was a size check in sg_write which was removed when introducing
> SG_MAX_CDB_SIZE:
> 65c26a0 sg: relax 16 byte cdb restriction
> - Backporting the commit anyway would have the advantage of returning
> the error sooner (when trying to set the next command size).
> - So to resolve the CVE for Trusty we could either update the breaks-
> fix entry or apply the backport.
>
> -Stefan
>
> drivers/scsi/sg.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index e831e01..849ff810 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
> result = get_user(val, ip);
> if (result)
> return result;
> + if (val > MAX_COMMAND_SIZE)
> + return -ENOMEM;
> sfp->next_cmd_len = (val > 0) ? val : 0;
> return 0;
> case SG_GET_VERSION_NUM:
>
More information about the kernel-team
mailing list