This bug, which was probably introduced in Linux 2.6.28, was assigned CVE. In drivers/scsi/sg.c in function start_req(), there was code segment vulnerable to number wraparound in the calculation of total number of pages in bio_map_user_iov(). This can result to allocating small array of pointers to pages that would be overflowed. It was fixed in Linux 4.1-rc1. CVE assignment: http://seclists.org/oss-sec/2015/q3/278 Upstream patches: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdc81f45e9f57858da6351836507fbcf1b7583ee http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=451a2886b6bf90e2fb378f7c46c655450fb96e81
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1250034]
Statement: This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 6, 7 MRG-2 and realtime kernels and does not plan be addressed in a future update.