Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3785470ybi;
        Mon, 29 Jul 2019 12:34:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqynN9totR+8zO1y/GQ59FOm7thTciiQ+mVhFDNP9zEsPmo2T+r7c6vTyFAcMj1CUK/T7+Ub
X-Received: by 2002:aa7:8102:: with SMTP id b2mr38619844pfi.105.1564428894450;
        Mon, 29 Jul 2019 12:34:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564428894; cv=none;
        d=google.com; s=arc-20160816;
        b=xvBjtGR4xkbirF5oWFV9VRYH42B3+xa3Oj9yTeGccop5cd/f2TC7umOXGgQfGEIHXA
         KQ6pkOsvMPO5Hm5mqpGKlKMGuQCoKHgWbquv3CE91DJl0EcWeFRSYToRmSB5xMBboGxI
         ApY14pr4ohn9JvUTDQCXjaQH5IjCoDSwRJK+1e+u+TUrKN0sgxQoJ+aLUq44sygWAP8W
         S3p7Lg4V7Degpl63DdqE/bfxmlaOASeJHwSBtkDUzv7tvrAQXFG4ULGkInJXLVqZpglf
         xe7q5Xhq8XS9mVvzsIkdqk3WkOTl3tnLBd3R0zhcKdVMdgUy83csoFFkDP8V7ULQFSYS
         LAYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=N7ncvNQY7x6x8yI5TIP3SuCZZRIJl3GKd8PWs3Hs6Ys=;
        b=ti6LLvHUujdZknl1EJaRf+pzW9K8DfFdYX8QbntAiOcQyAU3JfrFEMusZ1TJxPQh+7
         G0fP1tOhKnvxuOwlbtjD8iS4QbaD0u9PCMyfbl0tUUYg8hROdQWbvrw0Kh/Yhq/NTuud
         7t9T+gxC5w1nktpg4c4uuhqgi0U+Fd8rqO1p/95KNc3gJLWCpHzAd7FVc0YalV7qGq1f
         xEs6+3hnjLoNG8/lY/dmDM75XlTVq8W4L4BsK/IWE4z8VHYs49H8HZcijjIGvnLXi5FY
         FbcOzbediJ492WWq/BK6OPZubI23+Bcb+7a1MVG4/IZnZ99INPeQTgfbnRetQDFZbPl6
         HCNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=c6zVSKTv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j12si28038800pfe.188.2019.07.29.12.34.39;
        Mon, 29 Jul 2019 12:34:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=c6zVSKTv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730062AbfG2T3F (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Mon, 29 Jul 2019 15:29:05 -0400
Received: from mail.kernel.org ([198.145.29.99]:41718 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730048AbfG2T3A (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jul 2019 15:29:00 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 782FD2070B;
        Mon, 29 Jul 2019 19:28:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1564428539;
        bh=YHh7Ki8cG3PLKbuJicjYSL7b+d/UKNTDJG7wmwaq3HM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=c6zVSKTvHBdO9GEVnCe7YbG5NlTYxlPEf4xB4WigyHCIYI/oIOva4WyI+uT73HAAb
         7WfsH7fyXKYWB9UhjHIUtA0QuFtUIo/WKHX3ETUxiEyG9iFgIra5ERTXYYZgbjZwrz
         mAvM2yiXmWOILgGmCu2YtZWFd1JxqQCGqV0kRf70=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Denis Efremov <efremov@ispras.ru>,
        Willy Tarreau <w@1wt.eu>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 109/293] floppy: fix invalid pointer dereference in drive_name
Date:   Mon, 29 Jul 2019 21:20:00 +0200
Message-Id: <20190729190832.999899592@linuxfoundation.org>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190729190820.321094988@linuxfoundation.org>
References: <20190729190820.321094988@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ]

This fixes the invalid pointer dereference in the drive_name function of
the floppy driver.

The native_format field of the struct floppy_drive_params is used as
floppy_type array index in the drive_name function.  Thus, the field
should be checked the same way as the autodetect field.

To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl.  Next, FDGETDRVTYP ioctl should
be used to call the drive_name.  A floppy disk is not required to be
inserted.

CAP_SYS_ADMIN is required to call FDSETDRVPRM.

The patch adds the check for a value of the native_format field to be in
the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
indices.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/floppy.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index a4f630ef2b75..b4051e251041 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3386,7 +3386,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
 	return 0;
 }
 
-static bool valid_floppy_drive_params(const short autodetect[8])
+static bool valid_floppy_drive_params(const short autodetect[8],
+		int native_format)
 {
 	size_t floppy_type_size = ARRAY_SIZE(floppy_type);
 	size_t i = 0;
@@ -3397,6 +3398,9 @@ static bool valid_floppy_drive_params(const short autodetect[8])
 			return false;
 	}
 
+	if (native_format < 0 || native_format >= floppy_type_size)
+		return false;
+
 	return true;
 }
 
@@ -3526,7 +3530,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
 		SUPBOUND(size, strlen((const char *)outparam) + 1);
 		break;
 	case FDSETDRVPRM:
-		if (!valid_floppy_drive_params(inparam.dp.autodetect))
+		if (!valid_floppy_drive_params(inparam.dp.autodetect,
+				inparam.dp.native_format))
 			return -EINVAL;
 		*UDP = inparam.dp;
 		break;
@@ -3725,7 +3730,7 @@ static int compat_setdrvprm(int drive,
 		return -EPERM;
 	if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params)))
 		return -EFAULT;
-	if (!valid_floppy_drive_params(v.autodetect))
+	if (!valid_floppy_drive_params(v.autodetect, v.native_format))
 		return -EINVAL;
 	mutex_lock(&floppy_mutex);
 	UDP->cmos = v.cmos;
-- 
2.20.1