Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp644994ybz; Wed, 22 Apr 2020 05:23:44 -0700 (PDT) X-Google-Smtp-Source: APiQypK+so78kNA07MxfNcu12gyyqypOXH69X28d8Ku6oU13AXd4mhfGbSqjDVUPcqpxaZ9K2M6h X-Received: by 2002:a50:a0c7:: with SMTP id 65mr23464712edo.7.1587558224142; Wed, 22 Apr 2020 05:23:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587558224; cv=none; d=google.com; s=arc-20160816; b=msz7yg1YA3t5gLG90ovao1fqy/+Iu06NFEkdesB7KQldmju/y8pVFIMydCcl5kMtV7 IgkkD+O+/DeyrTjkiSHJOdUITbi/0zvQedlVumH5OyWg261k/O6hH1PkktC6qpIPCj3e gCuxBJpVX55lq6p8z2GsBhdsnttMWFAIgklCrGI2AHHA+6Yt4ZajV99w6w79vjqMAXrt UJ9ksVJuyL+lnorvK8yoYjQMxap7MtJEtOzwEHCFIVQDHKKc09w1nahUl3vn9GXoXcGT AfrFSEtOvQ7wEoGRVIepOxi3InHEDpAWK1+2KW3cDzAaBge1wAJmSIk2Atr4tXF/IzWM lsWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qxrpnfSjYdVKunBa3foEKmmzuRaa3TUqPfrQZ8ITSYg=; b=RDNNLZ1N6BG3cTcAd8/CrifQu+JyVhDiLuY6nBT24l8er87XSQqRvvrlxTDJrD4SyP ZaHePGWJLwXThftuuAdYvscU6ftUmu5LVgfPbEwROR2ysyWvE8beEyYjyQw1akywF6wl g5KOe5vQ8N5aKwMpjkt5Z/hYuxb4w8KSDFthc4wMTn/d5u/aSrQICt4ldKRZs2RMJ1ld NZX35CUzRRtDrHznF1fRPNHi16N8FuKah4fA52JYR6OCTxErpK6YV4NWKJBLhfptj8rZ az43GhjY4yl4QK+WN32D3qO/BjtxlSaQOAwIjhAWc5lOXjXB5X7PmB0MMKyF01Y9Rr4P as+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=k0VvD+17; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b9si3371308edf.455.2020.04.22.05.23.21; Wed, 22 Apr 2020 05:23:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=k0VvD+17; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730786AbgDVK05 (ORCPT + 99 others); Wed, 22 Apr 2020 06:26:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:35602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730757AbgDVK0l (ORCPT ); Wed, 22 Apr 2020 06:26:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F4792071E; Wed, 22 Apr 2020 10:26:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587551200; bh=O9zMXw7EVV/7T8D8FIM99Vc76xzMBdRqHU46kaUojBs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k0VvD+17dMscCCiH27ZbPvXdBrnbh9yuZSXS8FvbpOyzZaGaMRiqGY+ihgU8BLv4G pZ7YFG3lK38F0IGkGPS9FE5XVKUIItsXgbSqzR87NET3owCtXk2NMl11RbbTJedmcu 3Ou/tl7Yxv3vbzAQYkEoihnpPrI16EDFOUyJw0AU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Dan Williams , Sasha Levin Subject: [PATCH 5.6 141/166] libnvdimm: Out of bounds read in __nd_ioctl() Date: Wed, 22 Apr 2020 11:57:48 +0200 Message-Id: <20200422095103.758784613@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200422095047.669225321@linuxfoundation.org> References: <20200422095047.669225321@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] The "cmd" comes from the user and it can be up to 255. It it's more than the number of bits in long, it results out of bounds read when we check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is ND_CMD_CALL (10) so I added a compare against that. Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain Signed-off-by: Dan Williams Signed-off-by: Sasha Levin --- drivers/nvdimm/bus.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index a8b5159685699..09087c38fabdc 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -1042,8 +1042,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, return -EFAULT; } - if (!desc || (desc->out_num + desc->in_num == 0) || - !test_bit(cmd, &cmd_mask)) + if (!desc || + (desc->out_num + desc->in_num == 0) || + cmd > ND_CMD_CALL || + !test_bit(cmd, &cmd_mask)) return -ENOTTY; /* fail write commands (when read-only) */ -- 2.20.1