Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1753059ybz; Sat, 18 Apr 2020 07:47:32 -0700 (PDT) X-Google-Smtp-Source: APiQypKYORDJNn+OehKqXU4PDN22hWAKDkJnPiPekKf2x/xKPqOfMCi7HSWSpMPXkuNtb5W19IA7 X-Received: by 2002:a17:906:1d4c:: with SMTP id o12mr1909950ejh.357.1587221251914; Sat, 18 Apr 2020 07:47:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587221251; cv=none; d=google.com; s=arc-20160816; b=YylY3dku565fHFaLNKTnyiz6sOZZD462pIiMWZN9MBt51WvBx8bkpp6jWUUZy2a3Hs uU0D875AplzRrHm6aTrg8EPQ15O9yOyPvFxgRL8UxtJDUi/4bHz+PpzmmqWLAVzbaWWN WBid/N7DpQNemBvYfgSgqIFObB1Lk9VBzDxZ+Fk7ECCOB0UmyzZbQxCO6+W5viORFs9w Lv3Oxa7cflu9bwon8Zcji5sHRxRO/EwxQEv7nuc5y+x6qoJe0l+0d9ADI+EI5lR0fUwY wFx7GMrtF6Yy9WFs4gE/aAkhAgMpLzfDXMvWZ5X63SC3JC5eX6U7lgot8dbgo8Z+oflc XV5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=P23t7AMgPmqTbaAnPlcJURjpsN5swwi6hf6xMPhVQ0Q=; b=OydTbWIO1CMEa2ON4jY8AH8WNgrub7+AVF96gjUtYcM81xdpk1+zUow4kr0LR+KBmL QMHtZaay/s0RqH5rlU1Qnr/MjHTBiCKHxNdPLzyEvh25B4FYPWvjbhDbwYDYl+QzKLaS Ih+3VzGPwliQZ7H1tKhyaMAI59DmqSRgUQSip4nWih9GEAymOc4/02tzNSrL26tjDvRh suO5UJSE8jmRLAePubxFS9C6INFGCkxnPrmCELc9DHdwVquwkzkB2wez1MkihTnbA7k3 nhnXg9hisn8EYp0XvnESSG6RpowxvXfJSmV23U9nRt7J3vBBg1WexL9Vdv9ns1DUYu+m Rf4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WamSD2Rz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c12si4466657edv.443.2020.04.18.07.47.09; Sat, 18 Apr 2020 07:47:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WamSD2Rz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728521AbgDROnN (ORCPT + 99 others); Sat, 18 Apr 2020 10:43:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:53720 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728488AbgDROnC (ORCPT ); Sat, 18 Apr 2020 10:43:02 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B359321D7E; Sat, 18 Apr 2020 14:43:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587220982; bh=g+/DlI/neXXLGTI4GaNTz0Xd8LaLWlzfFIRyTD5ifOs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WamSD2RzXoByciS6WJW8ecal9JynqDMHV0Jgj9XXwrO3+LhAfK5mSg1QEIBV/d9sl MIJe3UKWxmnvEMGKhi7tNb5k2UwuaCTqgby/5qXLQRwGar0t7DOURWJWwcm8OrjDm0 UH7635233XHXcI+pz9euriJhOJsVDd6aBYzPedPY= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dan Carpenter , Dan Williams , Sasha Levin , linux-nvdimm@lists.01.org Subject: [PATCH AUTOSEL 4.19 27/47] libnvdimm: Out of bounds read in __nd_ioctl() Date: Sat, 18 Apr 2020 10:42:07 -0400 Message-Id: <20200418144227.9802-27-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200418144227.9802-1-sashal@kernel.org> References: <20200418144227.9802-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] The "cmd" comes from the user and it can be up to 255. It it's more than the number of bits in long, it results out of bounds read when we check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is ND_CMD_CALL (10) so I added a compare against that. Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain Signed-off-by: Dan Williams Signed-off-by: Sasha Levin --- drivers/nvdimm/bus.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index 54a633e8cb5d2..48a070a37ea9b 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -984,8 +984,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, return -EFAULT; } - if (!desc || (desc->out_num + desc->in_num == 0) || - !test_bit(cmd, &cmd_mask)) + if (!desc || + (desc->out_num + desc->in_num == 0) || + cmd > ND_CMD_CALL || + !test_bit(cmd, &cmd_mask)) return -ENOTTY; /* fail write commands (when read-only) */ -- 2.20.1