[SRU,CVE-2019-14283,X/B/D,1/1] floppy: fix out-of-bounds read in copy_buffer
diff mbox series

Message ID 20190801174517.24507-2-connor.kuehl@canonical.com
State New
Headers show
Series
  • floppy: fix out-of-bounds read in copy_buffer
Related show

Commit Message

Connor Kuehl Aug. 1, 2019, 5:45 p.m. UTC
From: Denis Efremov <efremov@ispras.ru>

CVE-2019-14283

This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
---
 drivers/block/floppy.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Tyler Hicks Aug. 1, 2019, 5:49 p.m. UTC | #1
On 2019-08-01 10:45:17, Connor Kuehl wrote:
> From: Denis Efremov <efremov@ispras.ru>
> 
> CVE-2019-14283
> 
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
> 
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
> 
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
> 
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
> 
> The bug was found by syzkaller.
> 
> Signed-off-by: Denis Efremov <efremov@ispras.ru>
> Tested-by: Willy Tarreau <w@1wt.eu>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Tyler

> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>  	int cnt;
>  
>  	/* sanity checking for parameters. */
> -	if (g->sect <= 0 ||
> -	    g->head <= 0 ||
> +	if ((int)g->sect <= 0 ||
> +	    (int)g->head <= 0 ||
> +	    /* check for overflow in max_sector */
> +	    (int)(g->sect * g->head) <= 0 ||
>  	    /* check for zero in F_SECT_PER_TRACK */
>  	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>  	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> -- 
> 2.20.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Colin Ian King Aug. 1, 2019, 6:04 p.m. UTC | #2
On 01/08/2019 18:45, Connor Kuehl wrote:
> From: Denis Efremov <efremov@ispras.ru>
> 
> CVE-2019-14283
> 
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
> 
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
> 
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
> 
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
> 
> The bug was found by syzkaller.
> 
> Signed-off-by: Denis Efremov <efremov@ispras.ru>
> Tested-by: Willy Tarreau <w@1wt.eu>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>  	int cnt;
>  
>  	/* sanity checking for parameters. */
> -	if (g->sect <= 0 ||
> -	    g->head <= 0 ||
> +	if ((int)g->sect <= 0 ||
> +	    (int)g->head <= 0 ||
> +	    /* check for overflow in max_sector */
> +	    (int)(g->sect * g->head) <= 0 ||
>  	    /* check for zero in F_SECT_PER_TRACK */
>  	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>  	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> 

Acked-by: Colin Ian King <colin.king@canonical.com>
Khaled Elmously Aug. 7, 2019, 3:36 a.m. UTC | #3
On 2019-08-01 10:45:17 , Connor Kuehl wrote:
> From: Denis Efremov <efremov@ispras.ru>
> 
> CVE-2019-14283
> 
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
> 
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
> 
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
> 
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
> 
> The bug was found by syzkaller.
> 
> Signed-off-by: Denis Efremov <efremov@ispras.ru>
> Tested-by: Willy Tarreau <w@1wt.eu>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>  	int cnt;
>  
>  	/* sanity checking for parameters. */
> -	if (g->sect <= 0 ||
> -	    g->head <= 0 ||
> +	if ((int)g->sect <= 0 ||
> +	    (int)g->head <= 0 ||
> +	    /* check for overflow in max_sector */
> +	    (int)(g->sect * g->head) <= 0 ||
>  	    /* check for zero in F_SECT_PER_TRACK */
>  	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>  	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||


Hmm...This patch doesn't seem to apply to any of X or B or D.

Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.

Connor, could you please double check?

Thanks
Po-Hsu Lin Aug. 7, 2019, 4:51 a.m. UTC | #4
This will need the patch for CVE-2019-14284 to be landed first.
https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html

On Wed, Aug 7, 2019 at 11:37 AM Khaled Elmously
<khalid.elmously@canonical.com> wrote:
>
> On 2019-08-01 10:45:17 , Connor Kuehl wrote:
> > From: Denis Efremov <efremov@ispras.ru>
> >
> > CVE-2019-14283
> >
> > This fixes a global out-of-bounds read access in the copy_buffer
> > function of the floppy driver.
> >
> > The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> > and head fields (unsigned int) of the floppy_drive structure are used to
> > compute the max_sector (int) in the make_raw_rw_request function.  It is
> > possible to overflow the max_sector.  Next, max_sector is passed to the
> > copy_buffer function and used in one of the memcpy calls.
> >
> > An unprivileged user could trigger the bug if the device is accessible,
> > but requires a floppy disk to be inserted.
> >
> > The patch adds the check for the .sect * .head multiplication for not
> > overflowing in the set_geometry function.
> >
> > The bug was found by syzkaller.
> >
> > Signed-off-by: Denis Efremov <efremov@ispras.ru>
> > Tested-by: Willy Tarreau <w@1wt.eu>
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
> > ---
> >  drivers/block/floppy.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> > index 42ae1d2d8243..7516fed84ae9 100644
> > --- a/drivers/block/floppy.c
> > +++ b/drivers/block/floppy.c
> > @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> >       int cnt;
> >
> >       /* sanity checking for parameters. */
> > -     if (g->sect <= 0 ||
> > -         g->head <= 0 ||
> > +     if ((int)g->sect <= 0 ||
> > +         (int)g->head <= 0 ||
> > +         /* check for overflow in max_sector */
> > +         (int)(g->sect * g->head) <= 0 ||
> >           /* check for zero in F_SECT_PER_TRACK */
> >           (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> >           g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
>
>
> Hmm...This patch doesn't seem to apply to any of X or B or D.
>
> Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.
>
> Connor, could you please double check?
>
> Thanks
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Khaled Elmously Aug. 7, 2019, 4:55 a.m. UTC | #5
Yep - thanks Sam!


On 2019-08-07 12:51:32 , Po-Hsu Lin wrote:
> This will need the patch for CVE-2019-14284 to be landed first.
> https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html
> 
> On Wed, Aug 7, 2019 at 11:37 AM Khaled Elmously
> <khalid.elmously@canonical.com> wrote:
> >
> > On 2019-08-01 10:45:17 , Connor Kuehl wrote:
> > > From: Denis Efremov <efremov@ispras.ru>
> > >
> > > CVE-2019-14283
> > >
> > > This fixes a global out-of-bounds read access in the copy_buffer
> > > function of the floppy driver.
> > >
> > > The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> > > and head fields (unsigned int) of the floppy_drive structure are used to
> > > compute the max_sector (int) in the make_raw_rw_request function.  It is
> > > possible to overflow the max_sector.  Next, max_sector is passed to the
> > > copy_buffer function and used in one of the memcpy calls.
> > >
> > > An unprivileged user could trigger the bug if the device is accessible,
> > > but requires a floppy disk to be inserted.
> > >
> > > The patch adds the check for the .sect * .head multiplication for not
> > > overflowing in the set_geometry function.
> > >
> > > The bug was found by syzkaller.
> > >
> > > Signed-off-by: Denis Efremov <efremov@ispras.ru>
> > > Tested-by: Willy Tarreau <w@1wt.eu>
> > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > > (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> > > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
> > > ---
> > >  drivers/block/floppy.c | 6 ++++--
> > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> > > index 42ae1d2d8243..7516fed84ae9 100644
> > > --- a/drivers/block/floppy.c
> > > +++ b/drivers/block/floppy.c
> > > @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> > >       int cnt;
> > >
> > >       /* sanity checking for parameters. */
> > > -     if (g->sect <= 0 ||
> > > -         g->head <= 0 ||
> > > +     if ((int)g->sect <= 0 ||
> > > +         (int)g->head <= 0 ||
> > > +         /* check for overflow in max_sector */
> > > +         (int)(g->sect * g->head) <= 0 ||
> > >           /* check for zero in F_SECT_PER_TRACK */
> > >           (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> > >           g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> >
> >
> > Hmm...This patch doesn't seem to apply to any of X or B or D.
> >
> > Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.
> >
> > Connor, could you please double check?
> >
> > Thanks
> >
> > --
> > kernel-team mailing list
> > kernel-team@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch
diff mbox series

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 42ae1d2d8243..7516fed84ae9 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3236,8 +3236,10 @@  static int set_geometry(unsigned int cmd, struct floppy_struct *g,
 	int cnt;
 
 	/* sanity checking for parameters. */
-	if (g->sect <= 0 ||
-	    g->head <= 0 ||
+	if ((int)g->sect <= 0 ||
+	    (int)g->head <= 0 ||
+	    /* check for overflow in max_sector */
+	    (int)(g->sect * g->head) <= 0 ||
 	    /* check for zero in F_SECT_PER_TRACK */
 	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
 	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||