Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1206654ybf; Thu, 27 Feb 2020 06:48:50 -0800 (PST) X-Google-Smtp-Source: APXvYqw++0lVkImxfLtuMJAvOTGLPjZueO1IYaXD7u3DOZwaliSbWs6jD+enPmC9409g7B6O19zz X-Received: by 2002:a05:6808:244:: with SMTP id m4mr3589547oie.125.1582814930714; Thu, 27 Feb 2020 06:48:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582814930; cv=none; d=google.com; s=arc-20160816; b=hfw+F/8OMvVYUhaG9ttyjo1QULGhD6t6vORSdZo59aZx60+lH+oCdpTKL/NG5p5EFP wDjuIlGdVnsCRuZLYQ7+uTENRy3miIoBvJ2zrsTQiubLGMSzcTS28+I6jPIVTdOgdxpJ NOnXj6SXpcv/UgNnWIwP3MZA06TezpsFQSKfzRzT8NTEP0gfm4ofuGH9LQL3+glQdeCK NlkEq91O786R6qUywxtQ3UjHtoo+WPkDDLO2VuM9pLmm89G5fzmahfAYoZCM9zI0mPLF R2A2C6xgWVvTSN3xnKe9biaoLqiP84QTGVHrknrZ1ZKetJIBZgBf8pnBDfpX8aiEOUh1 ydCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=27kLswcVzF0BIjwwjVE6yeJjNmPnhIv7CiUvkA/2xYs=; b=Dpwh/RAR0+AmuPRtyeQRL/oQL/JeqDnzWebSL1nxVDNbxh2ZCnoZ7AwuUH90Au7coP u2b0Ra3V7xcZb/ODjSKP9PBL+SxA14u3L8Ze7b3ISkd+wWlwTWkBWGIJESxwvEMNsp5k g6BRIjoSiDCU1hmTQNjTZeqRMEskYY4ygR6ZHtk5D0Yo4bHQwS9OZmDgYut+RzR8J/2Q 7Iojyv8xdQ2g4ceB2ylFD7ajGOEnJJqBnHO8H5Jfsykq+fuuJwjMjrplUI+bnlo5cdC9 pKbjvVE7OkIB2Bm1sJxu9mzj6aImQlhTvrS/ess56yp0TTlnk6Ea5UqUnZCMTA0V5HbW ujWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UuSUrETk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h203si1518189oif.3.2020.02.27.06.48.31; Thu, 27 Feb 2020 06:48:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UuSUrETk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730013AbgB0Nnn (ORCPT + 99 others); Thu, 27 Feb 2020 08:43:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:38980 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729696AbgB0Nnm (ORCPT ); Thu, 27 Feb 2020 08:43:42 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1833E20578; Thu, 27 Feb 2020 13:43:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582811021; bh=S0yGJG0Id9N1yY6MyKdC5gdWa6cxWpV1/yYUVgykXEg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UuSUrETkLBtiVLzDl32tIPBVmz0sYW2yQYs8nuDhofMR87TqZ9oROsenh7RsyztIh l1Vb1iLAzw39bASdH3dpLolAwvL+66A62uCtbSUADNpJpEcJifihDC1F3KKaMK+4Vj xQ61xlKHOVzmFqZSAFYjEJTmcaF+MLsLpBQSGoVE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jordy Zomer , Willy Tarreau , Dan Carpenter , Linus Torvalds Subject: [PATCH 4.4 085/113] floppy: check FDC index for errors before assigning it Date: Thu, 27 Feb 2020 14:36:41 +0100 Message-Id: <20200227132225.362545078@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132211.791484803@linuxfoundation.org> References: <20200227132211.791484803@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linus Torvalds commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream. Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in wait_til_ready(). Which on the face of it can't happen, since as Willy Tarreau points out, the function does no particular memory access. Except through the FDCS macro, which just indexes a static allocation through teh current fdc, which is always checked against N_FDC. Except the checking happens after we've already assigned the value. The floppy driver is a disgrace (a lot of it going back to my original horrd "design"), and has no real maintainer. Nobody has the hardware, and nobody really cares. But it still gets used in virtual environment because it's one of those things that everybody supports. The whole thing should be re-written, or at least parts of it should be seriously cleaned up. The 'current fdc' index, which is used by the FDCS macro, and which is often shadowed by a local 'fdc' variable, is a prime example of how not to write code. But because nobody has the hardware or the motivation, let's just fix up the immediate problem with a nasty band-aid: test the fdc index before actually assigning it to the static 'fdc' variable. Reported-by: Jordy Zomer Cc: Willy Tarreau Cc: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/block/floppy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -848,14 +848,17 @@ static void reset_fdc_info(int mode) /* selects the fdc and drive, and enables the fdc's input/dma. */ static void set_fdc(int drive) { + unsigned int new_fdc = fdc; + if (drive >= 0 && drive < N_DRIVE) { - fdc = FDC(drive); + new_fdc = FDC(drive); current_drive = drive; } - if (fdc != 1 && fdc != 0) { + if (new_fdc >= N_FDC) { pr_info("bad fdc value\n"); return; } + fdc = new_fdc; set_dor(fdc, ~0, 8); #if N_FDC > 1 set_dor(1 - fdc, ~8, 0);