Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp226928imd;
        Fri, 26 Oct 2018 07:40:28 -0700 (PDT)
X-Google-Smtp-Source: AJdET5fkqfF4JecVDV5l4PxHmC+gBRoVPmv7wIffPSDFGKTMP1pRgwPx4MNJljaRyfF0pzWYURig
X-Received: by 2002:a63:1f60:: with SMTP id q32-v6mr3642174pgm.88.1540564827952;
        Fri, 26 Oct 2018 07:40:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540564827; cv=none;
        d=google.com; s=arc-20160816;
        b=t4cFUzBY2F3gh/xu8jH6tBdCvFqiKEV0+jrJhctyw9vAT7/dgnVTBusLriMheIAx9G
         ZQW+AorkudF8vIr1+BBdqDC5VpKy3RFLngVGyJL1Ddkld1aBhgnYqk8IfkFc0SkIrtkN
         igEkK0phPvylvTIrcSgPKvhm3vDv3oW5oqKFUvpmR4QDN1fWY4dDVJeffMJzfLj2H4Of
         Ns4VW9WLy9Svk2h3KuhGZgRpNbMloHASqVOXMwNZYQrS5/N7v8K+lmI0IHLdgM9kyqFl
         6jmFXlYRX1k922YV+5pLqjp07L8TPl+caXKOW2FY//0N2z75fc3nMm90l25F5BOjJUF7
         Bufw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :mime-version:dkim-signature;
        bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=;
        b=LenEfZ4TJoJSFF98A6F8LUW9pp35oMbWTDj+sZFBifYTX5e66PEIAuIXUU6ufuL9hc
         D70B5yQkx3M3uKcHc8G4HN3C1oH08p/5aNfJ+Z9H7uCuRBWekMyxgpNrclVYV39dclwQ
         bmVaazUeDYiHDqtmqTYO/PUZtvsp3N9oaTxPbuz8rKQCO9sgUoBG0FVtVdyTX9Yt4cz6
         Zkjmhwsm/vUzor9evtXa8fM9wEXkfJsYAnlbQKu5OV7hmDzh7vAT8mRY1oYC0aCBk1qY
         5PhxnlqmGy1hCd2/HuwTcVQf7rbUbc5/4wZ5k9IZY0YbeAXCr3gBfkW9BAE3Qz1NBqQh
         BB3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXFntO+K;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z67-v6si12309939pfz.5.2018.10.26.07.40.12;
        Fri, 26 Oct 2018 07:40:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXFntO+K;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727507AbeJZXQv (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Fri, 26 Oct 2018 19:16:51 -0400
Received: from mail-it1-f195.google.com ([209.85.166.195]:38384 "EHLO
        mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726159AbeJZXQu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Oct 2018 19:16:50 -0400
Received: by mail-it1-f195.google.com with SMTP id i76-v6so1937414ita.3;
        Fri, 26 Oct 2018 07:39:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=;
        b=XXFntO+KKTpzgIFPtsT864/Jv+Vguvc7XkLtWd6TxLu+PYrZWgzDhVj+OBmw0F5c/0
         f3C07vWBPraVO5jyXPoGomda3UQs29r7Nyz6CcQjJexBx9nIICDvTKXPW0TXnpDbu7c7
         0N/vXJhUh25tc8u5hNNi39/5mcT5dEbeuri9wcowg3AZLBwyOj0jLPoD9CWiL5jm2z1Y
         8w8oy4jNBofahC3vtp2B7FvMlrCg0icmjjNpNGqYkK+RUeh48fQ0x4VdYxjz9DkNZrjy
         ERK/MK1KT6DcyepSsolfa+9yeTKui6ZTzdcdcc370CVuS1mf/LyFAl3sTvA35HOmm8v9
         9TtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=cJXfXkrm7720O8v9TD/5v8IUGAzgQhLkMw7heGuzGcA=;
        b=gxHL05VBTLMiSUG83cJHpdyJI0CnyOJ56Sq9GeWonmbMl/7u592fqIbycnTP+tNH3U
         gg5se2Hnn02VA7YZWx/LH/eqHDZIRQ6UbzWQgzvkHWX6ma9mCU/6SJpn6/mzrN0SA23k
         1PagRXpaA+uTjiBp32d36F+3drlWjI57A9nNW0W4M/BTyPKsr9/+SewYY787NcuXtAeu
         M3gtmgIFBpaz2rUbxFztI6yY074zYsGhC5xt+e44R+AgEpXAwByy28UA17h1eq+qnvOB
         D1iXn6xMBo0UGrf+kIhxXtedW8EMnhK2nBSQgL6uM4QJnZWXdDIjwS6nILfjhaCG8lw7
         EI0A==
X-Gm-Message-State: AGRZ1gIf3jtEssufICUPS4XI+Anqi0yXQLnTYr0B0wxJOcPSGO49H32X
        RB7txPtwUHuPmfPHwJ1JIGPUvUoo/ja5/WHc13k=
X-Received: by 2002:a05:660c:b03:: with SMTP id f3mr3861673itk.60.1540564771452;
 Fri, 26 Oct 2018 07:39:31 -0700 (PDT)
MIME-Version: 1.0
From:   Kyungtae Kim <kt0755@gmail.com>
Date:   Fri, 26 Oct 2018 10:39:19 -0400
Message-ID: <CAEAjamtxZRiFUYb4re3jRf9naoSyJO7sskChfEgcBh-m-uEKWQ@mail.gmail.com>
Subject: [PATCH] floppy: Avoid memory access beyond the array bounds in setup_rw_floppy()
To:     Jens Axboe <axboe@kernel.dk>
Cc:     jikos@kernel.org, Byoungyoung Lee <lifeasageek@gmail.com>,
        DaeRyong Jeong <threeearcat@gmail.com>,
        linux-block@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

setup_rw_floppy() writes some bytes of array cmd to the floppy disk
controller, depending on cmd_count.
Although the size of array cmd is fixed like 16, cmd_count can be much
larger through raw_cmd_ioctl().
Noticed there is no bound check for this, thereby leading to invalid
memory access.

This patch adds a bound check for cmd_count when initialized for the
first time.

The crash log is as follows:
UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32
index 16 is out of range for type 'unsigned char [16]'
CPU: 0 PID: 2420 Comm: kworker/u4:3 Not tainted 4.19.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xd2/0x148 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
 __ubsan_handle_out_of_bounds+0x174/0x1b8 lib/ubsan.c:386
 setup_rw_floppy+0xbd9/0xe60 drivers/block/floppy.c:1495
 seek_floppy drivers/block/floppy.c:1605 [inline]
 floppy_ready+0x61a/0x2230 drivers/block/floppy.c:1917
 fd_timer_workfn+0x1a/0x20 drivers/block/floppy.c:994
 process_one_work+0xa0c/0x1820 kernel/workqueue.c:2153
 worker_thread+0x8f/0xd20 kernel/workqueue.c:2296
 kthread+0x3a3/0x470 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413

Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
---
 drivers/block/floppy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index a8cfa01..41160a1 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3146,6 +3146,9 @@ static int raw_cmd_copyin(int cmd, void __user *param,
                         */
                return -EINVAL;

+       if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd))
+               return -EINVAL;
+
        for (i = 0; i < 16; i++)
                ptr->reply[i] = 0;
        ptr->resultcode = 0;
--
2.7.4