Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1760164ybz; Sat, 18 Apr 2020 07:56:34 -0700 (PDT) X-Google-Smtp-Source: APiQypIFhabl96g6/ewg7cqfaaPoeAcOYAzOXg8S7rVImqALmrzP6ksX+Tn74hh3DcTWP7fpr/lF X-Received: by 2002:a05:6402:17e3:: with SMTP id t3mr7502446edy.203.1587221794203; Sat, 18 Apr 2020 07:56:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587221794; cv=none; d=google.com; s=arc-20160816; b=moE3xGT6CKhu+NiYHuFcamI25k3PXSLLL8wULtoMZhObFaUS01F8uRJa8b9YOWsNdz GkgxZ+/GzPs5YFkdEkt7rSOAM1K78PG8U2U7V2VAT61Mlk+4e2t0H5xVlZWuyjj5Db/l vyn5o8sdDucxdZBOa5SWW9PXGzH4VIKmftaVeNrS94NthAIPVJaxfaH576scCqqg3jO8 AhLGqIfYEah90AajcoBtpZt3CD2tUmjilNHLSmrw5exe7Unul0ttF3KWsklWIucLXdaj IClWBLixZV0Lsz2jvbo22W2dPrhzo4FBa+3KkCwDAHxO52GfueHlJXf5D4ydO3fctF/N TFbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+lqZRGTNC9yaiLsOZsmxNKTGmV/Z0jVkXVKXKNJBRHI=; b=n/EsNt9z5yj8wIqCHFktKY14Z/pV23cXDWse9BoKfxHz4gwKOWg+Xmx+8Krqgy19hJ TYgK7KPokJnSQTdM4BHaE7N/4LwqVTVEOboEXbrfPvGZKR8/hUiF7wmMZHBUBau28vp/ hqBFTLAC6G/jLeRGFh3E/C0d+k+5ja9awtUr8o3qGd/3oDRRofiI11P4eq8PBVXwKmMb AIOZhxqyN48k6PZNtR2CoouD4eu1Xtq+MENHf+po0cJw6wsx4K7lz32fqXmEpLA5Y9Z+ nJEQdcdKDOgBAXgj9dEsRGsHc1u1LfUv0YIp9kGsoQGwSKXexwJPu6osJnTUxZAhoo3u LhKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eBwXKWLw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch13si16095605ejb.338.2020.04.18.07.56.11; Sat, 18 Apr 2020 07:56:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eBwXKWLw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728483AbgDROyT (ORCPT + 99 others); Sat, 18 Apr 2020 10:54:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:51230 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728098AbgDROlp (ORCPT ); Sat, 18 Apr 2020 10:41:45 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 14CDE21D82; Sat, 18 Apr 2020 14:41:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587220904; bh=wR40GoeRsbCaeLZmg7iG6efpBw+ES/ZLLE2S/S1kbak=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eBwXKWLwNN0QYmdmrboJBIPj5krT/n9aq/2k9HM+pC2ys08ZXznSVLaPRy4UaEypN 8CgxZBvYugt7f9Hh6NHZTl4yKjKPSK1lFnmMRzSl18T0pi9xwXvgbOIPv+41LEXGRV WfVuzKT/7R1QYfwS/yFzhaACT3VmZriqQzDCJTEs= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dan Carpenter , Dan Williams , Sasha Levin , linux-nvdimm@lists.01.org Subject: [PATCH AUTOSEL 5.4 45/78] libnvdimm: Out of bounds read in __nd_ioctl() Date: Sat, 18 Apr 2020 10:40:14 -0400 Message-Id: <20200418144047.9013-45-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200418144047.9013-1-sashal@kernel.org> References: <20200418144047.9013-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] The "cmd" comes from the user and it can be up to 255. It it's more than the number of bits in long, it results out of bounds read when we check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is ND_CMD_CALL (10) so I added a compare against that. Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain Signed-off-by: Dan Williams Signed-off-by: Sasha Levin --- drivers/nvdimm/bus.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index d47412dcdf38d..5e5c6aafc070b 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -1010,8 +1010,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, return -EFAULT; } - if (!desc || (desc->out_num + desc->in_num == 0) || - !test_bit(cmd, &cmd_mask)) + if (!desc || + (desc->out_num + desc->in_num == 0) || + cmd > ND_CMD_CALL || + !test_bit(cmd, &cmd_mask)) return -ENOTTY; /* fail write commands (when read-only) */ -- 2.20.1