New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_8

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Nov 29 2016

Issue description

Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: sys-kernel/chromeos-kernel-3_8
Package Version: [cpe:/o:linux:linux_kernel:3.8.11]

Advisory: CVE-2015-5707
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2015-5707
  CVSS severity score: 4.6/10.0
  Confidence: high
  Description:

Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.
















 
 Issue 669440  has been merged into this issue.

Comment 2 by och...@chromium.org, Nov 29 2016

Components: OS>Kernel
Labels: Security_Severity-High Security_Impact-Stable
Owner: mnissler@chromium.org
Status: Assigned (was: Untriaged)
Chrome Security sheriff here. mnissler, could I keep this assigned to you? Or could you help find a better owner? Thanks.

(Assuming this impacts stable, but please correct if I'm wrong)
Cc: groeck@chromium.org dtor@chromium.org
Owner: snanda@chromium.org
Huh, I had made updates to this bug but apparently forgot to hit the save button...

Passing on to kernel folks.

This looks like an old CVE, but a quick look at our kernel trees suggests that the vulnerability is present on all branches except 4.4.

It looks like the fix is pretty simple and should be straightforward to apply to our trees, so can someone take a look?

Comment 4 by groeck@chromium.org, Nov 30 2016

Owner: groeck@chromium.org

Comment 5 by groeck@chromium.org, Nov 30 2016

Fix is upstream commit 451a2886b6b ("sg_start_req(): make sure that there's not too many elements in iovec").

Project Member

Comment 6 by sheriffbot@chromium.org, Nov 30 2016

Labels: M-54
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 30 2016

Labels: -Pri-2 Pri-1

Comment 8 by groeck@chromium.org, Nov 30 2016

Status: Started (was: Assigned)

Comment 9 by groeck@chromium.org, Nov 30 2016

Cc: snanda@chromium.org
vomit lists several other CVEs in conjunction with this one. It says "CVE-2015-5707 CVE-2015-6252 CVE-2015-7799 …" (there is a total of 26 CVEs). Any idea, anyone, if there are bugs filed against the other CVEs, and/or why only one shows up here ?

Where do you see that list of 26 CVEs? FWIW, I'm not aware of any other bugs (and search doesn't produce any results for CVE-2015-6252 other than this bug).

Probably best to follow up with vomit-team@ internally.
Project Member

Comment 12 by bugdroid1@chromium.org, Dec 1 2016

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/983e7597411e1f80ad6ddbefb908805f978ac702

commit 983e7597411e1f80ad6ddbefb908805f978ac702
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415384
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/983e7597411e1f80ad6ddbefb908805f978ac702/drivers/scsi/sg.c

Project Member

Comment 13 by bugdroid1@chromium.org, Dec 1 2016

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e88802b18816b196926529f9c9f64b735b2a747a

commit e88802b18816b196926529f9c9f64b735b2a747a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415219
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/e88802b18816b196926529f9c9f64b735b2a747a/drivers/scsi/sg.c

Project Member

Comment 14 by bugdroid1@chromium.org, Dec 1 2016

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2273f7a74f7cfa2bdda8da130ccb947dafa4a97c

commit 2273f7a74f7cfa2bdda8da130ccb947dafa4a97c
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415116
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/2273f7a74f7cfa2bdda8da130ccb947dafa4a97c/drivers/scsi/sg.c

Project Member

Comment 15 by bugdroid1@chromium.org, Dec 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2273f7a74f7cfa2bdda8da130ccb947dafa4a97c

commit 2273f7a74f7cfa2bdda8da130ccb947dafa4a97c
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415116
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/2273f7a74f7cfa2bdda8da130ccb947dafa4a97c/drivers/scsi/sg.c

Project Member

Comment 16 by sheriffbot@chromium.org, Dec 1 2016

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Merge-Request-54 Merge-Request-55 Merge-Request-56

Comment 18 by dimu@chromium.org, Dec 2 2016

Labels: -Merge-Request-54 Merge-Review-54 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M54), manual review required.

Comment 19 by dimu@chromium.org, Dec 2 2016

Labels: -Merge-Request-55 Merge-Review-55
[Automated comment] Less than 2 weeks to go before stable on M55, manual review required.

Comment 20 by dimu@chromium.org, Dec 2 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 21 by bugdroid1@chromium.org, Dec 2 2016

Labels: merge-merged-release-R56-9000.B-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/000bfbae99e09d0c84a544ca0f425c78d90b9560

commit 000bfbae99e09d0c84a544ca0f425c78d90b9560
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415220
Commit-Ready: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit be8dc7ab4dcb44b60e20ea69900564a2bbdfe0d7)
Reviewed-on: https://chromium-review.googlesource.com/415577

[modify] https://crrev.com/000bfbae99e09d0c84a544ca0f425c78d90b9560/drivers/scsi/sg.c

Project Member

Comment 22 by bugdroid1@chromium.org, Dec 2 2016

Labels: merge-merged-release-R56-9000.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/25cba0ffe1d08f2553885d1e985e4f2b26150ce2

commit 25cba0ffe1d08f2553885d1e985e4f2b26150ce2
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415116
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 2273f7a74f7cfa2bdda8da130ccb947dafa4a97c)
Reviewed-on: https://chromium-review.googlesource.com/415576

[modify] https://crrev.com/25cba0ffe1d08f2553885d1e985e4f2b26150ce2/drivers/scsi/sg.c

Project Member

Comment 23 by bugdroid1@chromium.org, Dec 2 2016

Labels: merge-merged-release-R56-9000.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/308c6f5374b139715973242de95371c1000b7363

commit 308c6f5374b139715973242de95371c1000b7363
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415384
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 983e7597411e1f80ad6ddbefb908805f978ac702)
Reviewed-on: https://chromium-review.googlesource.com/415579

[modify] https://crrev.com/308c6f5374b139715973242de95371c1000b7363/drivers/scsi/sg.c

Project Member

Comment 24 by bugdroid1@chromium.org, Dec 2 2016

Labels: merge-merged-release-R56-9000.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d299f050dc51ab7b3f63b5b2f72ced4f8ae5b504

commit d299f050dc51ab7b3f63b5b2f72ced4f8ae5b504
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415219
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit e88802b18816b196926529f9c9f64b735b2a747a)
Reviewed-on: https://chromium-review.googlesource.com/415578

[modify] https://crrev.com/d299f050dc51ab7b3f63b5b2f72ced4f8ae5b504/drivers/scsi/sg.c

Project Member

Comment 25 by sheriffbot@chromium.org, Dec 2 2016

Labels: -M-54 M-55
Project Member

Comment 26 by sheriffbot@chromium.org, Dec 2 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 27 by sheriffbot@chromium.org, Dec 5 2016

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-56
Labels: -Merge-Review-55 Merge-Approved-55
Labels: -Merge-Request-54
Project Member

Comment 31 by bugdroid1@chromium.org, Dec 13 2016

Labels: merge-merged-release-R55-8872.B-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/54def94028ce3280624aad7c20ec37c12d8d9f2a

commit 54def94028ce3280624aad7c20ec37c12d8d9f2a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415384
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 983e7597411e1f80ad6ddbefb908805f978ac702)
Reviewed-on: https://chromium-review.googlesource.com/419069

[modify] https://crrev.com/54def94028ce3280624aad7c20ec37c12d8d9f2a/drivers/scsi/sg.c

Project Member

Comment 32 by bugdroid1@chromium.org, Dec 13 2016

Labels: merge-merged-release-R55-8872.B-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3c9fc39ccf36918ac6309a7097c85d053813ba38

commit 3c9fc39ccf36918ac6309a7097c85d053813ba38
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415116
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 2273f7a74f7cfa2bdda8da130ccb947dafa4a97c)
Reviewed-on: https://chromium-review.googlesource.com/419070

[modify] https://crrev.com/3c9fc39ccf36918ac6309a7097c85d053813ba38/drivers/scsi/sg.c

Project Member

Comment 33 by bugdroid1@chromium.org, Dec 13 2016

Labels: merge-merged-release-R55-8872.B-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1152c80d363b1e16b0c1aef001d37e536f0b0ed5

commit 1152c80d363b1e16b0c1aef001d37e536f0b0ed5
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415219
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit e88802b18816b196926529f9c9f64b735b2a747a)
Reviewed-on: https://chromium-review.googlesource.com/419071

[modify] https://crrev.com/1152c80d363b1e16b0c1aef001d37e536f0b0ed5/drivers/scsi/sg.c

Project Member

Comment 34 by bugdroid1@chromium.org, Dec 13 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1152c80d363b1e16b0c1aef001d37e536f0b0ed5

commit 1152c80d363b1e16b0c1aef001d37e536f0b0ed5
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415219
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit e88802b18816b196926529f9c9f64b735b2a747a)
Reviewed-on: https://chromium-review.googlesource.com/419071

[modify] https://crrev.com/1152c80d363b1e16b0c1aef001d37e536f0b0ed5/drivers/scsi/sg.c

Project Member

Comment 35 by bugdroid1@chromium.org, Dec 13 2016

Labels: merge-merged-release-R55-8872.B-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/243b10ad58c7e8fa8a2cd9b5a6921f4584619c1d

commit 243b10ad58c7e8fa8a2cd9b5a6921f4584619c1d
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Mar 22 00:08:18 2015

BACKPORT: sg_start_req(): make sure that there's not too many elements in iovec

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there.  If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

BUG= chromium:669439 
TEST=Build and Compile

Change-Id: Ic81dd7bf54b1c6d41d890e39d8563c5da2ac48fe
X-Coverup: TINC (and there's no lumber cartel either)
Cc: stable@vger.kernel.org # way, way back
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 451a2886b6b)
[groeck: Upstream used wrong (non-existing) definition MAX_UIOVEC]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/415220
Commit-Ready: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit be8dc7ab4dcb44b60e20ea69900564a2bbdfe0d7)
Reviewed-on: https://chromium-review.googlesource.com/419072

[modify] https://crrev.com/243b10ad58c7e8fa8a2cd9b5a6921f4584619c1d/drivers/scsi/sg.c

Labels: -Merge-Approved-55
Project Member

Comment 37 by sheriffbot@chromium.org, Mar 10 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 39 by dchan@google.com, May 30 2017

Labels: VerifyIn-60
Labels: VerifyIn-61

Comment 41 by dchan@chromium.org, Oct 14 2017

Status: Archived (was: Fixed)

Sign in to add a comment