ANDROID: scsi: Add segment checking in sg_read

Bug: 65023233 Signed-off-by: Roberto Pereira <rpere@google.com> Change-Id: Ib45f402cf304f9b8bf18884738f92b9c3db55573
author: Roberto Pereira <rpere@google.com> 2017-10-10 17:14:48 -0700
committer: Mister Oyster <oysterized@gmail.com> 2017-12-08 17:34:51 +0100
commit: 5ccf0686ff68e63fdc76a82b23df05009caa3ec5 (patch)
tree: 71f9a78067baff2422473a481b860037f669a77b /drivers/scsi
parent: fe19ee87cb697194c54cd28ba67d9e97fde64e2c (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 207b6cfb7..9383e7494 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -386,6 +386,9 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
 	struct sg_header *old_hdr = NULL;
 	int retval = 0;
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, printk("sg_read: %s, count=%d\n",
author	Roberto Pereira <rpere@google.com>	2017-10-10 17:14:48 -0700
committer	Mister Oyster <oysterized@gmail.com>	2017-12-08 17:34:51 +0100
commit	5ccf0686ff68e63fdc76a82b23df05009caa3ec5 (patch)
tree	71f9a78067baff2422473a481b860037f669a77b /drivers/scsi
parent	fe19ee87cb697194c54cd28ba67d9e97fde64e2c (diff)