sg_write()/bsg_write() is not fit to be called under KERNEL_DS
Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro
@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
|
||||
|
||||
dprintk("%s: write %Zd bytes\n", bd->name, count);
|
||||
|
||||
if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
|
||||
return -EINVAL;
|
||||
|
||||
bsg_set_block(bd, file);
|
||||
|
||||
bytes_written = 0;
|
||||
|
||||
مرجع در شماره جدید
Block a user