Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp222631ima; Tue, 23 Oct 2018 23:30:11 -0700 (PDT) X-Google-Smtp-Source: AJdET5dikscpZkEIT3MsLLx2iZw7k9ukyhnoJW3o2WU8sgHN6YXgwdOIfjQsVsgT5Kv8XkjYvaNM X-Received: by 2002:a63:c746:: with SMTP id v6-v6mr1392509pgg.108.1540362611863; Tue, 23 Oct 2018 23:30:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540362611; cv=none; d=google.com; s=arc-20160816; b=bcvAPaTojlUMQu2dTVnMRvc9Co+R9IDVt5q59KzL1JaiAqccFxRv24iDaMcfMfdH8c 9Hj9ZLbwQL+8yzQF7tWme/6BopwRZ6NveswcSJJ3t6z3lE/HBT7t7apYLC+tJfMaSwwr 9LnlAz/HCm7aeIzQvwb+z19/SsCL+8RR35I44hQ4jlgnipICKwkHRIEEWt+269WUPoOw CeAHS29n9a1Clg4xt9KO8vpMz1vpQSuPhutKGRnV57jR5fd7voNoiNdfIg64Yk2cA5Ht cRPCbjwPA83iJuj/+hhLgGSgow0ccd+1KTekTHdysTsiG8+EdblnAJywRtZIAkcvnxsT iAJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=wXdf8BDrIZKELcZtcP1tg4b3groSGYcdIxpKfxnCfwk=; b=Bl07fmDZ+vX6IacLb8j55ek76d5aUq7Ki/aPUb43McIWsBFH/us47s80PLdQt1iLKV XcVE8pYQwZujvlbgjgD7UlKFVep6IfpUWfeCzWdGMfoNR3IexUZl/7/nd3dmpiMHzkms C6/13NqDy1ImEObbIU2RIY19kNw7qzPac0JGwHRxe7u9iH0tkWNG57CR1NDW8fFSTK6D od/VINlOnuMbppF3t8jxZ/Is0Po+s0WBNDDLLpnXCDT3n3C/UZBQE2Zdw2N3ys09YXBB QwgwiTE7mtYPd4bqfpL2ibAZW+PdCBGtD8oAQ3P1PcIk6Kyj2D7AU5bs3cvJbajR7fXO AfRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GEoCn93x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n19-v6si3404750plp.183.2018.10.23.23.29.55; Tue, 23 Oct 2018 23:30:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GEoCn93x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726819AbeJXO4P (ORCPT + 99 others); Wed, 24 Oct 2018 10:56:15 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:38289 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726268AbeJXO4O (ORCPT ); Wed, 24 Oct 2018 10:56:14 -0400 Received: by mail-io1-f68.google.com with SMTP id q18-v6so2427233iod.5; Tue, 23 Oct 2018 23:29:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wXdf8BDrIZKELcZtcP1tg4b3groSGYcdIxpKfxnCfwk=; b=GEoCn93xCylMT4OwpIcBaiqCA2dLHPjLNwDYNp7a8dmLovYj77AybJvmdEQ4srzb/w 4+TsZpFHgGp95Q9fZnpPgKiZtcD/ZO/ijf2bXmcOqmGBOi+SBhRv1fyGli7nCJHhtv6F 5xRqV9vaAn3Xzvt99iVsPXK9ETgfzcmOWNlF0EJeXT1plj1rAls02GP58xFc3d+zSN9z w0RXbw8nScCEFY8TdJF5bXG/lMpuKGCmqaf9W8tcz99ZVmn1RDMCZxhm1ZAAJUlxSUmm 9ly5krbWOKdBdpYrThtlOkeyamXqgrGoP5ycKaVzZZmzwB7ER2PMFA+YLuggyEuxFvDZ 44Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wXdf8BDrIZKELcZtcP1tg4b3groSGYcdIxpKfxnCfwk=; b=PpVGTbLuBF/BsmaujaXI8xgPcDREOqpoKYe3JNzf6QmMH+wGICt+OxPYAyRcCRMRN/ Tsz3KHIYrJ5eoFf0YlbCZ1R3vWGXR7RMXmd/LWfThgbDxFiLodm8AN6Ruh5C0mDFJubI 2U2v6y2rcYFRS8SNH57zg9hIDg4hzQ7FdpDic/thvsUCazQFcV/+ZBuTIdnNLe+wp4dT u0hzBnpepEW+HJM6jaSOmb5kd+qWhJnOnvnGs6uy8dx41W3lBGFU9aABYHcCVaYebyl6 75tzh5pQpKewFYVHwWYdiUsUTW1N/wj+zHCQhYQlH8SHC/Gvuk4lGi72E2US4ZS/y8eu jzzA== X-Gm-Message-State: AGRZ1gJWnLhMaY55cCSKWFv9CmDbpWADFJHj23OGDT7h228PGuIS4nHf omOnAjdFI73bLdf+BizMT55fO3p1+3AkrvAxOrA= X-Received: by 2002:a6b:d307:: with SMTP id s7-v6mr10331408iob.190.1540362573610; Tue, 23 Oct 2018 23:29:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyungtae Kim Date: Wed, 24 Oct 2018 02:29:22 -0400 Message-ID: Subject: Re: UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 To: axboe@kernel.dk Cc: jikos@kernel.org, Byoungyoung Lee , DaeRyong Jeong , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks. The following should work. diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index a8cfa01..41160a1 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3146,6 +3146,9 @@ static int raw_cmd_copyin(int cmd, void __user *param= , */ return -EINVAL; + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd)) + return -EINVAL; + for (i =3D 0; i < 16; i++) ptr->reply[i] =3D 0; ptr->resultcode =3D 0; On Tue, Oct 23, 2018 at 6:01 AM Jens Axboe wrote: > > On 10/22/18 5:20 PM, Kyungtae Kim wrote: > > We report a bug found in v4.19-rc2 (v4.19-rc8 as well): > > UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 > > > > kernel config: https://kt0755.github.io/etc/config_v2-4.19 > > repro: https://kt0755.github.io/etc/repro.b4076.c > > > > Analysis: > > > > struct floppy_raw_cmd { > > unsigned char cmd_count; > > unsigned char cmd[16]; > > ... > > }; > > > > for (i=3D0; icmd_count; i++) > > output_byte(raw_cmd->cmd[i]) > > > > In driver/block/floppy.c:1495, the code snippet above is trying to > > write some bytes to the floppy disk controller, depending on "cmd_count= ". > > As you see "struct floppy_raw_cmd" above, the size of array =E2=80=9Ccm= d=E2=80=9D is > > fixed as 16. > > The thing is, there is no boundary check for the index of array "cmd" > > when this is used. Besides, "cmd_count" can be manipulated by raw_cmd_i= octl > > which is derived from ioctl system call. > > We observed that cmd_count is set at line 2540 (or 2111), but that is > > after such a bug arose in our experiment. So by manipulating system cal= l ioctl, > > user program can have illegitimate memory access. > > > > The following is a simple patch to stop this. (This might not be the > > best.) > > > > diff --git a/linux-4.19-rc2/drivers/block/floppy.c > > b/linux-4.19-rc2/drivers/block/floppy.c > > index f2b6f4d..a3610c9 100644 > > --- a/linux-4.19-rc2/drivers/block/floppy.c > > +++ b/linux-4.19-rc2/drivers/block/floppy.c > > @@ -3149,6 +3149,8 @@ static int raw_cmd_copyin(int cmd, void __user *p= aram, > > */ > > return -EINVAL; > > > > + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd)) { > > + return -EINVAL; > > + > > for (i =3D 0; i < 16; i++) > > ptr->reply[i] =3D 0; > > ptr->resultcode =3D 0; > > I think that's a decent way to fix it, but you probably want to > test your patch - it doesn't compile. Send something you've > tested that works. > > -- > Jens Axboe >