Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1184719ybf; Thu, 27 Feb 2020 06:29:05 -0800 (PST) X-Google-Smtp-Source: APXvYqzzFJCFc5j537gOa+gifzaZZx9RGRThG73t/NuWPjrhzjw1A5Ewtcl5G08w4VWEdM/MKbMD X-Received: by 2002:a05:6830:2157:: with SMTP id r23mr3450834otd.57.1582813745593; Thu, 27 Feb 2020 06:29:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582813745; cv=none; d=google.com; s=arc-20160816; b=alEM03NMnlyS8SaF0rG5iEz//jU+p4e2E14+uSufkzUAz9E5+AvkbVDR3M83bRaCDb LeBbCUTH5+Wm4QMihU0hpFKYamYxeVg/AYg95GC0q3NHrzy6/OuxB2a/hDfVfE6pXPhG Hpf2j0vPsk/9aACs6mVItukmhskHZwIQ1Hp1M0KyY4E0s3Ru8wGYXzj3J89XgBELowap Vv2zLM8jT/htX6f7kAvaGxR4To1e3VSGzEG8QAfLvJNKnT93D/Cef6FEjSZj0sMhikAl a07bmAzO3UWNmdZCEcNURxL4LJP/N56qjOWxXQQcmQl75mDAYeRogXkzD/k61MCxw1zf Q6zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o8lzeZCDcL3u3/URydBuz/kzpXe1BPu9MAd09pp3DtY=; b=yjQHvu5Xb7GcR+tnLH8f1bk+wCqWJFh6odqHzQ7uqTEvv/5V/dz4AgKav0/u08+cwv qfBU4VFo10F9m0qQ8JNIjXFMul6TtSerdFtikrY/LP9xW/7XDP52ASs+QIfAhdgf8QOv ZdyEV+8ciSZWxLhVNenFiqFdI57xWbO6xKxp4nzkXGHoPI0hnvYQYN/NuMLifQOb8dnP FPHHYZyzx7ukPq2PoUnqYE01457QYNRP6XJIIoRees8G9OEcNoel76J9ZReh76KPyFsi VIj8cRBzK6csg6bZO4Ssh73ZjzLNrN6jbR77N9Rp6oPDocpLSVztiUDV/at+l/WNNwOz rzTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0OUrEI9C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q195si1513627oic.83.2020.02.27.06.28.53; Thu, 27 Feb 2020 06:29:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0OUrEI9C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388337AbgB0O2q (ORCPT + 99 others); Thu, 27 Feb 2020 09:28:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:44648 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387746AbgB0OHN (ORCPT ); Thu, 27 Feb 2020 09:07:13 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F6EF20801; Thu, 27 Feb 2020 14:07:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582812433; bh=DPmLCLL0ahSP7fn+LS7OG75V/K+ecstt+63o9yJmvHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0OUrEI9C11me7qXvSORqUHLC6FiRidn7jK/8NM3FfFU2UtE9J0jGyMKAoh343z2Cs Tgd0AaIqRsbfH96WJdLrkOdLLniOq6hLRtRy/8rHr6cqXFNy+xGnNnLrD5MqgfRnAx TcP5Y9A1eD0H+VZEMJPH7vT7fRcqvYPW9FloTkbI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jordy Zomer , Willy Tarreau , Dan Carpenter , Linus Torvalds Subject: [PATCH 5.4 016/135] floppy: check FDC index for errors before assigning it Date: Thu, 27 Feb 2020 14:35:56 +0100 Message-Id: <20200227132231.685788364@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132228.710492098@linuxfoundation.org> References: <20200227132228.710492098@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linus Torvalds commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream. Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in wait_til_ready(). Which on the face of it can't happen, since as Willy Tarreau points out, the function does no particular memory access. Except through the FDCS macro, which just indexes a static allocation through teh current fdc, which is always checked against N_FDC. Except the checking happens after we've already assigned the value. The floppy driver is a disgrace (a lot of it going back to my original horrd "design"), and has no real maintainer. Nobody has the hardware, and nobody really cares. But it still gets used in virtual environment because it's one of those things that everybody supports. The whole thing should be re-written, or at least parts of it should be seriously cleaned up. The 'current fdc' index, which is used by the FDCS macro, and which is often shadowed by a local 'fdc' variable, is a prime example of how not to write code. But because nobody has the hardware or the motivation, let's just fix up the immediate problem with a nasty band-aid: test the fdc index before actually assigning it to the static 'fdc' variable. Reported-by: Jordy Zomer Cc: Willy Tarreau Cc: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/block/floppy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -853,14 +853,17 @@ static void reset_fdc_info(int mode) /* selects the fdc and drive, and enables the fdc's input/dma. */ static void set_fdc(int drive) { + unsigned int new_fdc = fdc; + if (drive >= 0 && drive < N_DRIVE) { - fdc = FDC(drive); + new_fdc = FDC(drive); current_drive = drive; } - if (fdc != 1 && fdc != 0) { + if (new_fdc >= N_FDC) { pr_info("bad fdc value\n"); return; } + fdc = new_fdc; set_dor(fdc, ~0, 8); #if N_FDC > 1 set_dor(1 - fdc, ~8, 0);