[kernel] r22878 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Sat Aug 1 17:20:24 UTC 2015

Author: benh
Date: Sat Aug  1 17:20:24 2015
New Revision: 22878

Log:
sg_start_req(): make sure that there's not too many elements in iovec

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================

--- dists/wheezy-security/linux/debian/changelog	Sat Aug  1 17:19:24 2015	(r22877)
+++ dists/wheezy-security/linux/debian/changelog	Sat Aug  1 17:20:24 2015	(r22878)
@@ -4,6 +4,7 @@
   * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
   * sctp: fix ASCONF list handling (CVE-2015-3212)
   * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
+  * sg_start_req(): make sure that there's not too many elements in iovec
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 28 Jun 2015 23:37:37 +0100
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch	Sat Aug  1 17:20:24 2015	(r22878)
@@ -0,0 +1,34 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there.  If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Cc: stable at vger.kernel.org # way, way back
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+ that function.]
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp,
+ 			md->from_user = 0;
+ 	}
+ 
++	if (unlikely(iov_count > UIO_MAXIOV))
++		return -EINVAL;
++
+ 	if (iov_count) {
+ 		int len, size = sizeof(struct sg_iovec) * iov_count;
+ 		struct iovec *iov;

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Sat Aug  1 17:19:24 2015	(r22877)
+++ dists/wheezy-security/linux/debian/patches/series	Sat Aug  1 17:20:24 2015	(r22878)
@@ -1173,3 +1173,4 @@
 bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
 bugfix/all/sctp-fix-asconf-list-handling.patch
 bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
+bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch

