From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 22:11:54 +0000 (-0800)
Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
X-Git-Tag: v4.14-rc1~1090^2~2^2~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bf33f87dd04c371ea33feb821b60d63d754e3124;p=platform%2Fkernel%2Flinux-rpi.git

scsi: sg: check length passed to SG_NEXT_CMD_LEN

The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.

Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index e831e01..849ff810 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM: