[SRU,CVE-2019-14283,X/B/D,0/1] floppy: fix out-of-bounds read in copy_buffer

Message ID	20190801174517.24507-1-connor.kuehl@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Connor Kuehl <connor.kuehl@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][CVE-2019-14283][X/B/D][PATCH 0/1] floppy: fix out-of-bounds read in copy_buffer Date: Thu, 1 Aug 2019 10:45:16 -0700 Message-Id: <20190801174517.24507-1-connor.kuehl@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	floppy: fix out-of-bounds read in copy_buffer \| expand [SRU,CVE-2019-14283,X/B/D,0/1] floppy: fix out-of-bounds read in copy_buffer [SRU,CVE-2019-14283,X/B/D,1/1] floppy: fix out-of-bounds read in copy_buffer

Message ID

20190801174517.24507-1-connor.kuehl@canonical.com

Headers

From: Connor Kuehl <connor.kuehl@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][CVE-2019-14283][X/B/D][PATCH 0/1] floppy: fix out-of-bounds
	read in copy_buffer
Date: Thu,  1 Aug 2019 10:45:16 -0700
Message-Id: <20190801174517.24507-1-connor.kuehl@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

floppy: fix out-of-bounds read in copy_buffer | expand

Message

Connor Kuehl Aug. 1, 2019, 5:45 p.m. UTC

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14283.html

From the link above:

"In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c
does not validate the sect and head fields, as demonstrated by an integer
overflow and out-of-bounds read. It can be triggered by an unprivileged
local user when a floppy disk has been inserted. NOTE: QEMU creates the
floppy device by default."

**NOTE**: CVE-2019-14284 must be applied first for this patch to cherry pick
cleanly. As of this writing, that patch has already been sent to the
mailing list [1] and has enough ACKs to be applied.

[1] https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html

Denis Efremov (1):
  floppy: fix out-of-bounds read in copy_buffer

 drivers/block/floppy.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Khalid Elmously Aug. 7, 2019, 4:56 a.m. UTC | #1

On 2019-08-01 10:45:16 , Connor Kuehl wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14283.html
> 
> From the link above:
> 
> "In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c
> does not validate the sect and head fields, as demonstrated by an integer
> overflow and out-of-bounds read. It can be triggered by an unprivileged
> local user when a floppy disk has been inserted. NOTE: QEMU creates the
> floppy device by default."
> 
> **NOTE**: CVE-2019-14284 must be applied first for this patch to cherry pick
> cleanly. As of this writing, that patch has already been sent to the
> mailing list [1] and has enough ACKs to be applied.
> 
> [1] https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html
> 
> Denis Efremov (1):
>   floppy: fix out-of-bounds read in copy_buffer
> 
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> -- 
> 2.20.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team