sg_write()/bsg_write() is not fit to be called under KERNEL_DS

[ Upstream commit 128394ef ] Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>

sg_write()/bsg_write() is not fit to be called under KERNEL_DS
[ Upstream commit 128394ef ] Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
3e326731 · Al Viro · Sasha Levin · 363f1a90 · 3e326731 · 3e326731
Commit 3e326731 authored Dec 16, 2016 by Al Viro Committed by Sasha Levin Jan 12, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

block/bsg.c block/bsg.c +3 -0

drivers/scsi/sg.c drivers/scsi/sg.c +3 -0

No files found.
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)

 	dprintk("%s: write %Zd bytes\n", bd->name, count);

+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	bsg_set_block(bd, file);

 	bytes_written = 0;

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -592,6 +592,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
 	sg_io_hdr_t *hp;
 	unsigned char cmnd[SG_MAX_CDB_SIZE];

+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,