| Message ID | 1532431000-1813-2-git-send-email-paolo.pisati@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() | expand |
On 24.07.2018 13:16, Paolo Pisati wrote: > From: Alexander Potapenko <glider@google.com> > > CVE-2018-1000204 > > This shall help avoid copying uninitialized memory to the userspace when > calling ioctl(fd, SG_IO) with an empty command. > > Reported-by: syzbot+7d26fc1eea198488deab@syzkaller.appspotmail.com > Cc: stable@vger.kernel.org > Signed-off-by: Alexander Potapenko <glider@google.com> > Acked-by: Douglas Gilbert <dgilbert@interlog.com> > Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> > Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> > (cherry picked from commit a45b599ad808c3c982fdcdc12b0b8611c2f92824) > Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/scsi/sg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 47b8f7b..1ab6147 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -1826,7 +1826,7 @@ retry: > num = (rem_sz > scatter_elem_sz_prev) ? > scatter_elem_sz_prev : rem_sz; > > - schp->pages[k] = alloc_pages(gfp_mask, order); > + schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order); > if (!schp->pages[k]) > goto out; > >
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 47b8f7b..1ab6147 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1826,7 +1826,7 @@ retry: num = (rem_sz > scatter_elem_sz_prev) ? scatter_elem_sz_prev : rem_sz; - schp->pages[k] = alloc_pages(gfp_mask, order); + schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order); if (!schp->pages[k]) goto out;