diff options
| author | Denis Efremov <efremov@ispras.ru> | 2019-07-12 14:55:22 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-17 17:45:50 -0400 |
| commit | 9b04609b784027968348796a18f601aed9db3789 (patch) | |
| tree | 96a133df881bb20e6bd1b1c58f28abe96a389583 /drivers/block | |
| parent | 5635f897ed83fd539df78e98ba69ee91592f9bb8 (diff) | |
floppy: fix invalid pointer dereference in drive_name
This fixes the invalid pointer dereference in the drive_name function of
the floppy driver.
The native_format field of the struct floppy_drive_params is used as
floppy_type array index in the drive_name function. Thus, the field
should be checked the same way as the autodetect field.
To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should
be used to call the drive_name. A floppy disk is not required to be
inserted.
CAP_SYS_ADMIN is required to call FDSETDRVPRM.
The patch adds the check for a value of the native_format field to be in
the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
indices.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/block')
| -rw-r--r-- | drivers/block/floppy.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index b70d6e103a57..671a0ae434b4 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c | |||
| @@ -3380,7 +3380,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) | |||
| 3380 | return 0; | 3380 | return 0; |
| 3381 | } | 3381 | } |
| 3382 | 3382 | ||
| 3383 | static bool valid_floppy_drive_params(const short autodetect[8]) | 3383 | static bool valid_floppy_drive_params(const short autodetect[8], |
| 3384 | int native_format) | ||
| 3384 | { | 3385 | { |
| 3385 | size_t floppy_type_size = ARRAY_SIZE(floppy_type); | 3386 | size_t floppy_type_size = ARRAY_SIZE(floppy_type); |
| 3386 | size_t i = 0; | 3387 | size_t i = 0; |
| @@ -3391,6 +3392,9 @@ static bool valid_floppy_drive_params(const short autodetect[8]) | |||
| 3391 | return false; | 3392 | return false; |
| 3392 | } | 3393 | } |
| 3393 | 3394 | ||
| 3395 | if (native_format < 0 || native_format >= floppy_type_size) | ||
| 3396 | return false; | ||
| 3397 | |||
| 3394 | return true; | 3398 | return true; |
| 3395 | } | 3399 | } |
| 3396 | 3400 | ||
| @@ -3520,7 +3524,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int | |||
| 3520 | SUPBOUND(size, strlen((const char *)outparam) + 1); | 3524 | SUPBOUND(size, strlen((const char *)outparam) + 1); |
| 3521 | break; | 3525 | break; |
| 3522 | case FDSETDRVPRM: | 3526 | case FDSETDRVPRM: |
| 3523 | if (!valid_floppy_drive_params(inparam.dp.autodetect)) | 3527 | if (!valid_floppy_drive_params(inparam.dp.autodetect, |
| 3528 | inparam.dp.native_format)) | ||
| 3524 | return -EINVAL; | 3529 | return -EINVAL; |
| 3525 | *UDP = inparam.dp; | 3530 | *UDP = inparam.dp; |
| 3526 | break; | 3531 | break; |
| @@ -3719,7 +3724,7 @@ static int compat_setdrvprm(int drive, | |||
| 3719 | return -EPERM; | 3724 | return -EPERM; |
| 3720 | if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) | 3725 | if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) |
| 3721 | return -EFAULT; | 3726 | return -EFAULT; |
| 3722 | if (!valid_floppy_drive_params(v.autodetect)) | 3727 | if (!valid_floppy_drive_params(v.autodetect, v.native_format)) |
| 3723 | return -EINVAL; | 3728 | return -EINVAL; |
| 3724 | mutex_lock(&floppy_mutex); | 3729 | mutex_lock(&floppy_mutex); |
| 3725 | UDP->cmos = v.cmos; | 3730 | UDP->cmos = v.cmos; |