sg_write()/bsg_write() is not fit to be called under KERNEL_DS

[ Upstream commit 128394eff343fc6d2f32172f03e24829539c5835 ] Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
author: Al Viro <viro@zeniv.linux.org.uk> 2016-12-16 13:42:06 -0500
committer: Sasha Levin <alexander.levin@verizon.com> 2017-01-15 09:49:53 -0500
commit: a861b9212ab44dc9483259b1f9376e74bae2ad37 (patch)
tree: 4e1a189e30dfcaffceaa0edd19ccc2f3426eba82 /block
parent: 77e36d730030760bf2aebc4e911b2471fca770eb (diff)
download: linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.tar.gz
linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.tar.bz2
linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/block/bsg.c b/block/bsg.c
index 276e869e686c..fc607692cfe4 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -677,6 +677,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
 
 	dprintk("%s: write %Zd bytes\n", bd->name, count);
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	bsg_set_block(bd, file);
 
 	bytes_written = 0;
author	Al Viro <viro@zeniv.linux.org.uk>	2016-12-16 13:42:06 -0500
committer	Sasha Levin <alexander.levin@verizon.com>	2017-01-15 09:49:53 -0500
commit	a861b9212ab44dc9483259b1f9376e74bae2ad37 (patch)
tree	4e1a189e30dfcaffceaa0edd19ccc2f3426eba82 /block
parent	77e36d730030760bf2aebc4e911b2471fca770eb (diff)
download	linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.tar.gz linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.tar.bz2 linux-stable-a861b9212ab44dc9483259b1f9376e74bae2ad37.zip