Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3785470ybi; Mon, 29 Jul 2019 12:34:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqynN9totR+8zO1y/GQ59FOm7thTciiQ+mVhFDNP9zEsPmo2T+r7c6vTyFAcMj1CUK/T7+Ub X-Received: by 2002:aa7:8102:: with SMTP id b2mr38619844pfi.105.1564428894450; Mon, 29 Jul 2019 12:34:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564428894; cv=none; d=google.com; s=arc-20160816; b=xvBjtGR4xkbirF5oWFV9VRYH42B3+xa3Oj9yTeGccop5cd/f2TC7umOXGgQfGEIHXA KQ6pkOsvMPO5Hm5mqpGKlKMGuQCoKHgWbquv3CE91DJl0EcWeFRSYToRmSB5xMBboGxI ApY14pr4ohn9JvUTDQCXjaQH5IjCoDSwRJK+1e+u+TUrKN0sgxQoJ+aLUq44sygWAP8W S3p7Lg4V7Degpl63DdqE/bfxmlaOASeJHwSBtkDUzv7tvrAQXFG4ULGkInJXLVqZpglf xe7q5Xhq8XS9mVvzsIkdqk3WkOTl3tnLBd3R0zhcKdVMdgUy83csoFFkDP8V7ULQFSYS LAYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=N7ncvNQY7x6x8yI5TIP3SuCZZRIJl3GKd8PWs3Hs6Ys=; b=ti6LLvHUujdZknl1EJaRf+pzW9K8DfFdYX8QbntAiOcQyAU3JfrFEMusZ1TJxPQh+7 G0fP1tOhKnvxuOwlbtjD8iS4QbaD0u9PCMyfbl0tUUYg8hROdQWbvrw0Kh/Yhq/NTuud 7t9T+gxC5w1nktpg4c4uuhqgi0U+Fd8rqO1p/95KNc3gJLWCpHzAd7FVc0YalV7qGq1f xEs6+3hnjLoNG8/lY/dmDM75XlTVq8W4L4BsK/IWE4z8VHYs49H8HZcijjIGvnLXi5FY FbcOzbediJ492WWq/BK6OPZubI23+Bcb+7a1MVG4/IZnZ99INPeQTgfbnRetQDFZbPl6 HCNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=c6zVSKTv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si28038800pfe.188.2019.07.29.12.34.39; Mon, 29 Jul 2019 12:34:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=c6zVSKTv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730062AbfG2T3F (ORCPT + 99 others); Mon, 29 Jul 2019 15:29:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:41718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730048AbfG2T3A (ORCPT ); Mon, 29 Jul 2019 15:29:00 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 782FD2070B; Mon, 29 Jul 2019 19:28:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428539; bh=YHh7Ki8cG3PLKbuJicjYSL7b+d/UKNTDJG7wmwaq3HM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c6zVSKTvHBdO9GEVnCe7YbG5NlTYxlPEf4xB4WigyHCIYI/oIOva4WyI+uT73HAAb 7WfsH7fyXKYWB9UhjHIUtA0QuFtUIo/WKHX3ETUxiEyG9iFgIra5ERTXYYZgbjZwrz mAvM2yiXmWOILgGmCu2YtZWFd1JxqQCGqV0kRf70= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Denis Efremov , Willy Tarreau , Linus Torvalds , Sasha Levin Subject: [PATCH 4.14 109/293] floppy: fix invalid pointer dereference in drive_name Date: Mon, 29 Jul 2019 21:20:00 +0200 Message-Id: <20190729190832.999899592@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ] This fixes the invalid pointer dereference in the drive_name function of the floppy driver. The native_format field of the struct floppy_drive_params is used as floppy_type array index in the drive_name function. Thus, the field should be checked the same way as the autodetect field. To trigger the bug, one could use a value out of range and set the drive parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should be used to call the drive_name. A floppy disk is not required to be inserted. CAP_SYS_ADMIN is required to call FDSETDRVPRM. The patch adds the check for a value of the native_format field to be in the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices. The bug was found by syzkaller. Signed-off-by: Denis Efremov Tested-by: Willy Tarreau Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- drivers/block/floppy.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index a4f630ef2b75..b4051e251041 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3386,7 +3386,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) return 0; } -static bool valid_floppy_drive_params(const short autodetect[8]) +static bool valid_floppy_drive_params(const short autodetect[8], + int native_format) { size_t floppy_type_size = ARRAY_SIZE(floppy_type); size_t i = 0; @@ -3397,6 +3398,9 @@ static bool valid_floppy_drive_params(const short autodetect[8]) return false; } + if (native_format < 0 || native_format >= floppy_type_size) + return false; + return true; } @@ -3526,7 +3530,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int SUPBOUND(size, strlen((const char *)outparam) + 1); break; case FDSETDRVPRM: - if (!valid_floppy_drive_params(inparam.dp.autodetect)) + if (!valid_floppy_drive_params(inparam.dp.autodetect, + inparam.dp.native_format)) return -EINVAL; *UDP = inparam.dp; break; @@ -3725,7 +3730,7 @@ static int compat_setdrvprm(int drive, return -EPERM; if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) return -EFAULT; - if (!valid_floppy_drive_params(v.autodetect)) + if (!valid_floppy_drive_params(v.autodetect, v.native_format)) return -EINVAL; mutex_lock(&floppy_mutex); UDP->cmos = v.cmos; -- 2.20.1