diff options
| author | Denis Efremov <efremov@ispras.ru> | 2019-07-12 14:55:21 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-17 17:45:49 -0400 |
| commit | 5635f897ed83fd539df78e98ba69ee91592f9bb8 (patch) | |
| tree | cc7a5fc94670775c0fb7c8e556c9079b08b9f7cd /drivers/block | |
| parent | f3554aeb991214cbfafd17d55e2bfddb50282e32 (diff) | |
floppy: fix out-of-bounds read in next_valid_format
This fixes a global out-of-bounds read access in the next_valid_format
function of the floppy driver.
The values from autodetect field of the struct floppy_drive_params are
used as indices for the floppy_type array in the next_valid_format
function 'floppy_type[DP->autodetect[probed_format]].sect'.
To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to
be inserted.
CAP_SYS_ADMIN is required to call FDSETDRVPRM.
The patch adds the check for values of the autodetect field to be in the
'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/block')
| -rw-r--r-- | drivers/block/floppy.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 51246bc9709a..b70d6e103a57 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c | |||
| @@ -3380,6 +3380,20 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) | |||
| 3380 | return 0; | 3380 | return 0; |
| 3381 | } | 3381 | } |
| 3382 | 3382 | ||
| 3383 | static bool valid_floppy_drive_params(const short autodetect[8]) | ||
| 3384 | { | ||
| 3385 | size_t floppy_type_size = ARRAY_SIZE(floppy_type); | ||
| 3386 | size_t i = 0; | ||
| 3387 | |||
| 3388 | for (i = 0; i < 8; ++i) { | ||
| 3389 | if (autodetect[i] < 0 || | ||
| 3390 | autodetect[i] >= floppy_type_size) | ||
| 3391 | return false; | ||
| 3392 | } | ||
| 3393 | |||
| 3394 | return true; | ||
| 3395 | } | ||
| 3396 | |||
| 3383 | static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, | 3397 | static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, |
| 3384 | unsigned long param) | 3398 | unsigned long param) |
| 3385 | { | 3399 | { |
| @@ -3506,6 +3520,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int | |||
| 3506 | SUPBOUND(size, strlen((const char *)outparam) + 1); | 3520 | SUPBOUND(size, strlen((const char *)outparam) + 1); |
| 3507 | break; | 3521 | break; |
| 3508 | case FDSETDRVPRM: | 3522 | case FDSETDRVPRM: |
| 3523 | if (!valid_floppy_drive_params(inparam.dp.autodetect)) | ||
| 3524 | return -EINVAL; | ||
| 3509 | *UDP = inparam.dp; | 3525 | *UDP = inparam.dp; |
| 3510 | break; | 3526 | break; |
| 3511 | case FDGETDRVPRM: | 3527 | case FDGETDRVPRM: |
| @@ -3703,6 +3719,8 @@ static int compat_setdrvprm(int drive, | |||
| 3703 | return -EPERM; | 3719 | return -EPERM; |
| 3704 | if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) | 3720 | if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) |
| 3705 | return -EFAULT; | 3721 | return -EFAULT; |
| 3722 | if (!valid_floppy_drive_params(v.autodetect)) | ||
| 3723 | return -EINVAL; | ||
| 3706 | mutex_lock(&floppy_mutex); | 3724 | mutex_lock(&floppy_mutex); |
| 3707 | UDP->cmos = v.cmos; | 3725 | UDP->cmos = v.cmos; |
| 3708 | UDP->max_dtr = v.max_dtr; | 3726 | UDP->max_dtr = v.max_dtr; |