Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp226928imd; Fri, 26 Oct 2018 07:40:28 -0700 (PDT) X-Google-Smtp-Source: AJdET5fkqfF4JecVDV5l4PxHmC+gBRoVPmv7wIffPSDFGKTMP1pRgwPx4MNJljaRyfF0pzWYURig X-Received: by 2002:a63:1f60:: with SMTP id q32-v6mr3642174pgm.88.1540564827952; Fri, 26 Oct 2018 07:40:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540564827; cv=none; d=google.com; s=arc-20160816; b=t4cFUzBY2F3gh/xu8jH6tBdCvFqiKEV0+jrJhctyw9vAT7/dgnVTBusLriMheIAx9G ZQW+AorkudF8vIr1+BBdqDC5VpKy3RFLngVGyJL1Ddkld1aBhgnYqk8IfkFc0SkIrtkN igEkK0phPvylvTIrcSgPKvhm3vDv3oW5oqKFUvpmR4QDN1fWY4dDVJeffMJzfLj2H4Of Ns4VW9WLy9Svk2h3KuhGZgRpNbMloHASqVOXMwNZYQrS5/N7v8K+lmI0IHLdgM9kyqFl 6jmFXlYRX1k922YV+5pLqjp07L8TPl+caXKOW2FY//0N2z75fc3nMm90l25F5BOjJUF7 Bufw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=; b=LenEfZ4TJoJSFF98A6F8LUW9pp35oMbWTDj+sZFBifYTX5e66PEIAuIXUU6ufuL9hc D70B5yQkx3M3uKcHc8G4HN3C1oH08p/5aNfJ+Z9H7uCuRBWekMyxgpNrclVYV39dclwQ bmVaazUeDYiHDqtmqTYO/PUZtvsp3N9oaTxPbuz8rKQCO9sgUoBG0FVtVdyTX9Yt4cz6 Zkjmhwsm/vUzor9evtXa8fM9wEXkfJsYAnlbQKu5OV7hmDzh7vAT8mRY1oYC0aCBk1qY 5PhxnlqmGy1hCd2/HuwTcVQf7rbUbc5/4wZ5k9IZY0YbeAXCr3gBfkW9BAE3Qz1NBqQh BB3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXFntO+K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z67-v6si12309939pfz.5.2018.10.26.07.40.12; Fri, 26 Oct 2018 07:40:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXFntO+K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727507AbeJZXQv (ORCPT + 99 others); Fri, 26 Oct 2018 19:16:51 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:38384 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726159AbeJZXQu (ORCPT ); Fri, 26 Oct 2018 19:16:50 -0400 Received: by mail-it1-f195.google.com with SMTP id i76-v6so1937414ita.3; Fri, 26 Oct 2018 07:39:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=; b=XXFntO+KKTpzgIFPtsT864/Jv+Vguvc7XkLtWd6TxLu+PYrZWgzDhVj+OBmw0F5c/0 f3C07vWBPraVO5jyXPoGomda3UQs29r7Nyz6CcQjJexBx9nIICDvTKXPW0TXnpDbu7c7 0N/vXJhUh25tc8u5hNNi39/5mcT5dEbeuri9wcowg3AZLBwyOj0jLPoD9CWiL5jm2z1Y 8w8oy4jNBofahC3vtp2B7FvMlrCg0icmjjNpNGqYkK+RUeh48fQ0x4VdYxjz9DkNZrjy ERK/MK1KT6DcyepSsolfa+9yeTKui6ZTzdcdcc370CVuS1mf/LyFAl3sTvA35HOmm8v9 9TtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=; b=gxHL05VBTLMiSUG83cJHpdyJI0CnyOJ56Sq9GeWonmbMl/7u592fqIbycnTP+tNH3U gg5se2Hnn02VA7YZWx/LH/eqHDZIRQ6UbzWQgzvkHWX6ma9mCU/6SJpn6/mzrN0SA23k 1PagRXpaA+uTjiBp32d36F+3drlWjI57A9nNW0W4M/BTyPKsr9/+SewYY787NcuXtAeu M3gtmgIFBpaz2rUbxFztI6yY074zYsGhC5xt+e44R+AgEpXAwByy28UA17h1eq+qnvOB D1iXn6xMBo0UGrf+kIhxXtedW8EMnhK2nBSQgL6uM4QJnZWXdDIjwS6nILfjhaCG8lw7 EI0A== X-Gm-Message-State: AGRZ1gIf3jtEssufICUPS4XI+Anqi0yXQLnTYr0B0wxJOcPSGO49H32X RB7txPtwUHuPmfPHwJ1JIGPUvUoo/ja5/WHc13k= X-Received: by 2002:a05:660c:b03:: with SMTP id f3mr3861673itk.60.1540564771452; Fri, 26 Oct 2018 07:39:31 -0700 (PDT) MIME-Version: 1.0 From: Kyungtae Kim Date: Fri, 26 Oct 2018 10:39:19 -0400 Message-ID: Subject: [PATCH] floppy: Avoid memory access beyond the array bounds in setup_rw_floppy() To: Jens Axboe Cc: jikos@kernel.org, Byoungyoung Lee , DaeRyong Jeong , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org setup_rw_floppy() writes some bytes of array cmd to the floppy disk controller, depending on cmd_count. Although the size of array cmd is fixed like 16, cmd_count can be much larger through raw_cmd_ioctl(). Noticed there is no bound check for this, thereby leading to invalid memory access. This patch adds a bound check for cmd_count when initialized for the first time. The crash log is as follows: UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 index 16 is out of range for type 'unsigned char [16]' CPU: 0 PID: 2420 Comm: kworker/u4:3 Not tainted 4.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: floppy fd_timer_workfn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_out_of_bounds+0x174/0x1b8 lib/ubsan.c:386 setup_rw_floppy+0xbd9/0xe60 drivers/block/floppy.c:1495 seek_floppy drivers/block/floppy.c:1605 [inline] floppy_ready+0x61a/0x2230 drivers/block/floppy.c:1917 fd_timer_workfn+0x1a/0x20 drivers/block/floppy.c:994 process_one_work+0xa0c/0x1820 kernel/workqueue.c:2153 worker_thread+0x8f/0xd20 kernel/workqueue.c:2296 kthread+0x3a3/0x470 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 Signed-off-by: Kyungtae Kim --- drivers/block/floppy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index a8cfa01..41160a1 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3146,6 +3146,9 @@ static int raw_cmd_copyin(int cmd, void __user *param, */ return -EINVAL; + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd)) + return -EINVAL; + for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; -- 2.7.4