Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp139717imd; Fri, 26 Oct 2018 06:23:54 -0700 (PDT) X-Google-Smtp-Source: AJdET5fVARsID1jfesiRleuSWO6OzZNafn/bPYnG+sAslq+SOiu3bw/IToSRMDVAzAPc4Hbo7p9G X-Received: by 2002:a17:902:d881:: with SMTP id b1-v6mr3399812plz.29.1540560234676; Fri, 26 Oct 2018 06:23:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540560234; cv=none; d=google.com; s=arc-20160816; b=KItpH7WbFJmQYebeoRXTeJ9uLnPvTlT2UTlXhNsD/qtX+c0O/BcAKacdBQgqFqwBHT wwQ31MiN5nicL9JTCtUl46ac6p9bPjFonI3yvkJSuLLe9BkCkVjn63L/OgtiNZoTHVh/ LB/Xua31+LcMzagQwkWtvCVKtYYKmDmngqdELD++WOWy2WbBNMjL20wPP9ezbyY55D47 vFt354TTP/DXqrUbBY4aMj2Eqf4YHJnDcpp9B1YdscsJH65hAdHVUWcViPMf2/tS0J3t OU1baYiba6tNjb4phebtpWChRX1/ObFngqgPtBVNryeWYGauZdJtJzK8bVnrBscmb65X BpCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=vkpl1HLHviktElyquNSyHDdm6EOk3q6jgkJanttgAgs=; b=iPvFQP+FKgQbd8NwZbxa30VPuLk0TAb469hBJ94nlQSNgWE1EenFV6rGkd3EEwoHG7 atZxIQgK1hTZguOq0EUnJJSoNOLLPQCPeZsE7htDIyuBB5Z4oUifGLkGXgjCz4fKXkdp /xLLrUPthsBYteTXb3etVLM0Je2LHpPKKCrBZ+j/+nm8Ppc7OxwGDOVcReaozESSfkWu 5/1iuZbhB4ZPoH6nAO3xuCiWHfIooimpwxuB/wGUVfhDrPkoX+OIJD1nosQR+VMeId71 NF7lf7unYeVpLUFjZbS64e98QyTqu9Wjm9ozMOIMOtxLpGXeAZ+cOR3oQbc6vTnHc+c8 CkVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Az1wPMEL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j61-v6si1142176plb.121.2018.10.26.06.23.39; Fri, 26 Oct 2018 06:23:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Az1wPMEL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727065AbeJZWAI (ORCPT + 99 others); Fri, 26 Oct 2018 18:00:08 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:40534 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726014AbeJZWAI (ORCPT ); Fri, 26 Oct 2018 18:00:08 -0400 Received: by mail-io1-f66.google.com with SMTP id a23-v6so679706iod.7; Fri, 26 Oct 2018 06:23:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vkpl1HLHviktElyquNSyHDdm6EOk3q6jgkJanttgAgs=; b=Az1wPMELvXIjeDI03ZS2QBtCFkoxQBJbpmZFiRIn1yDsWYJWtqsvKM3zZVTdBsou/I dD6W6q1R3vUOoUCaLPMNfT2Y2PJuNUxbb/e07MRdoPPtubT/zrtlCtNJL8OD+a+XYtwr MpG/DgnusSLCPvUs/0yAwGuNPGCAhkmhpolIEGjlCIigzzTKVifnmcima2olME8dBxDS 5La4FZnDk5wT71kJzxXRtRIkjqlBbmbBCy0E07p2JXU0bcqUMaVu8jN6qtT71XlEZhU9 itblBNJodQbf0z6xAS38NsFCdbCexANVNrQzUkpJaI4lBT086Yzp1v547dPEX0vD6jtN vPqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vkpl1HLHviktElyquNSyHDdm6EOk3q6jgkJanttgAgs=; b=QH2HOtar3oEJ3GqGQqKhYmFxQO9+vv6NwbmyFFyccb8k6HVod/2UbO+dpCctZ9V2K3 6G36Vto6p0DPlL9LpkVfAfA/qth5BJTFNkOnRD5NqWP5gMnCDxbGU72lmzbbEOCWzvma I7JO3xTqYeKj1AVsvmy1oG08WNtvVB8ObrXJMivzydQ/E5gtIj1p2EF/E9tkmw34OV6M 3igMMf8+ZcXdyoX4sPAJqk8kI+mPEuuBmX6nO9mGb4ayznUOKCylc+8aeAvaIm06JFIu WLW8ozjKX/4e7YPjhkHkLN7L4DnxSu6qqrs9+MrLy1y9UZfJsJYtmjFskdPjSOW/th85 ipug== X-Gm-Message-State: AGRZ1gIttHx768asJBfKiLAIp5z1GvheBWH9MmJ5TIKbmKETE1fxYnN3 RHFBgtGLmKOR3TdLjcWK1Y9/coYQqMWVCR015lU= X-Received: by 2002:a6b:8e90:: with SMTP id q138-v6mr2367934iod.112.1540560182974; Fri, 26 Oct 2018 06:23:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyungtae Kim Date: Fri, 26 Oct 2018 09:22:51 -0400 Message-ID: Subject: Re: UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 To: axboe@kernel.dk Cc: jikos@kernel.org, Byoungyoung Lee , DaeRyong Jeong , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I corrected the patch as follows: [PATCH] floppy: Avoid memory access beyond the array bounds in setup_rw_floppy() setup_rw_floppy() writes some bytes of array cmd to the floppy disk controller, depending on cmd_count. Although the size of array cmd is fixed like 16, cmd_count can be much larger through raw_cmd_ioctl(). Noticed there is no bound check for this, thereby leading to invalid memory access. This patch adds a bound check for cmd_count when initialized for the first time. The crash log is as follows: UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 index 16 is out of range for type 'unsigned char [16]' CPU: 0 PID: 2420 Comm: kworker/u4:3 Not tainted 4.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: floppy fd_timer_workfn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_out_of_bounds+0x174/0x1b8 lib/ubsan.c:386 setup_rw_floppy+0xbd9/0xe60 drivers/block/floppy.c:1495 seek_floppy drivers/block/floppy.c:1605 [inline] floppy_ready+0x61a/0x2230 drivers/block/floppy.c:1917 fd_timer_workfn+0x1a/0x20 drivers/block/floppy.c:994 process_one_work+0xa0c/0x1820 kernel/workqueue.c:2153 worker_thread+0x8f/0xd20 kernel/workqueue.c:2296 kthread+0x3a3/0x470 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 Signed-off-by: Kyungtae Kim --- drivers/block/floppy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index a8cfa01..41160a1 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3146,6 +3146,9 @@ static int raw_cmd_copyin(int cmd, void __user *param, */ return -EINVAL; + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd)) + return -EINVAL; + for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; -- 2.7.4 On Wed, Oct 24, 2018 at 5:27 AM Jens Axboe wrote: > > On 10/24/18 12:33 AM, Kyungtae Kim wrote: > > Corrected. > > You'll want to read Documentation/process/submitting-patches.rst as > your patch is lacking in several areas. > > > -- > Jens Axboe >