| Message ID | 1497949119-21068-2-git-send-email-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 20.06.2017 10:58, Po-Hsu Lin wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > CVE-2016-10088 > > Both damn things interpret userland pointers embedded into the payload; > worse, they are actually traversing those. Leaving aside the bad > API design, this is very much _not_ safe to call with KERNEL_DS. > Bail out early if that happens. > > Cc: stable@vger.kernel.org > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > (cherry picked from commit 128394eff343fc6d2f32172f03e24829539c5835) > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > block/bsg.c | 3 +++ > drivers/scsi/sg.c | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/block/bsg.c b/block/bsg.c > index 420a5a9..76801e5 100644 > --- a/block/bsg.c > +++ b/block/bsg.c > @@ -675,6 +675,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > > dprintk("%s: write %Zd bytes\n", bd->name, count); > > + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) > + return -EINVAL; > + > bsg_set_block(bd, file); > > bytes_written = 0; > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 1f65e32..291791a 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -568,6 +568,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) > sg_io_hdr_t *hp; > unsigned char cmnd[MAX_COMMAND_SIZE]; > > + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) > + return -EINVAL; > + > if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) > return -ENXIO; > SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n", >
On 20/06/17 09:58, Po-Hsu Lin wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > CVE-2016-10088 > > Both damn things interpret userland pointers embedded into the payload; > worse, they are actually traversing those. Leaving aside the bad > API design, this is very much _not_ safe to call with KERNEL_DS. > Bail out early if that happens. > > Cc: stable@vger.kernel.org > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > (cherry picked from commit 128394eff343fc6d2f32172f03e24829539c5835) > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > block/bsg.c | 3 +++ > drivers/scsi/sg.c | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/block/bsg.c b/block/bsg.c > index 420a5a9..76801e5 100644 > --- a/block/bsg.c > +++ b/block/bsg.c > @@ -675,6 +675,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > > dprintk("%s: write %Zd bytes\n", bd->name, count); > > + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) > + return -EINVAL; > + > bsg_set_block(bd, file); > > bytes_written = 0; > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 1f65e32..291791a 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -568,6 +568,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) > sg_io_hdr_t *hp; > unsigned char cmnd[MAX_COMMAND_SIZE]; > > + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) > + return -EINVAL; > + > if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) > return -ENXIO; > SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n", > Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to Trusty master-next. Thanks, -Stefan
diff --git a/block/bsg.c b/block/bsg.c index 420a5a9..76801e5 100644 --- a/block/bsg.c +++ b/block/bsg.c @@ -675,6 +675,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) dprintk("%s: write %Zd bytes\n", bd->name, count); + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; + bsg_set_block(bd, file); bytes_written = 0; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 1f65e32..291791a 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -568,6 +568,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) sg_io_hdr_t *hp; unsigned char cmnd[MAX_COMMAND_SIZE]; + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) return -ENXIO; SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",