[CVE-2016-10088][PATCH Trusty] sg_write()/bsg_write() is not fit to be called under KERNEL_DS
Po-Hsu Lin
po-hsu.lin at canonical.com
Tue Jun 20 08:58:39 UTC 2017
From: Al Viro <viro at zeniv.linux.org.uk>
CVE-2016-10088
Both damn things interpret userland pointers embedded into the payload;
worse, they are actually traversing those. Leaving aside the bad
API design, this is very much _not_ safe to call with KERNEL_DS.
Bail out early if that happens.
Cc: stable at vger.kernel.org
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
(cherry picked from commit 128394eff343fc6d2f32172f03e24829539c5835)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
block/bsg.c | 3 +++
drivers/scsi/sg.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/block/bsg.c b/block/bsg.c
index 420a5a9..76801e5 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -675,6 +675,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
dprintk("%s: write %Zd bytes\n", bd->name, count);
+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ return -EINVAL;
+
bsg_set_block(bd, file);
bytes_written = 0;
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 1f65e32..291791a 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -568,6 +568,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
sg_io_hdr_t *hp;
unsigned char cmnd[MAX_COMMAND_SIZE];
+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ return -EINVAL;
+
if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
return -ENXIO;
SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
--
1.7.9.5
More information about the kernel-team
mailing list