From patchwork Thu Aug 1 17:45:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1140663 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45zyPQ5Pj5z9sN6; Fri, 2 Aug 2019 03:45:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1htF8o-0001AG-RC; Thu, 01 Aug 2019 17:45:26 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1htF8m-00019h-Jm for kernel-team@lists.ubuntu.com; Thu, 01 Aug 2019 17:45:24 +0000 Received: from mail-pf1-f197.google.com ([209.85.210.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1htF8k-0003Zl-L6 for kernel-team@lists.ubuntu.com; Thu, 01 Aug 2019 17:45:23 +0000 Received: by mail-pf1-f197.google.com with SMTP id 21so46212907pfu.9 for ; Thu, 01 Aug 2019 10:45:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zBCr6iN+4uuhHU3ujDnZR7BTyokqqcD93INqfZzKI5o=; b=Hk7p4XWCIIwscz9N88dmbI3l2rtDJg6lCk4HfwDvbWfP1vFXJym0h8FL34JR3eE0cn q7SM0khi+TgkUhYjtV4V52nWxzYSVoJSXIGiwAJ83iiGup7JjYqHd2Mj/UMu7ugfiFbS cCqmvX8RBGKshhqqEQlBm6c6i+XBazlsm0V6vHq/N+isDmjwUHOHfjNtwWrHTtakCiNj 0Wd7vYEy05+2paCtONEfeQ3k4nRwfpsyFhtHhjoBBhGIIwhgBoMBgmzRCcO1UdVh0H2o 949/15yWWHpzPisvar4yZxjbkPH+5wRBcMUhptn3t+pU6IHK6Qe4B6B59KcV8kzfsk16 7Hug== X-Gm-Message-State: APjAAAXGb/vsMBvLl5PswfxkNzF3EbURIyL+PcpGyzOPXSWQeqVNFF2L N2tyCWliq7pYDNcaGtww1fmRTRcIobUsvV914QR93sdJS6EA0rc3yw09DXT81qZ1BANpIH/mC3a R3awFImpsNwxkHTrE96bK5NiWRKsh1/Y+vcoK1+9E/w== X-Received: by 2002:a17:902:76c6:: with SMTP id j6mr126983612plt.102.1564681521036; Thu, 01 Aug 2019 10:45:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqywJ8JuqZjcruwjkWOOWsU8Xe79BJsPJI28aQsrnahJ5AUcUPZZZ99FjZzsP2f5olOGwUHKew== X-Received: by 2002:a17:902:76c6:: with SMTP id j6mr126983599plt.102.1564681520874; Thu, 01 Aug 2019 10:45:20 -0700 (PDT) Received: from localhost.localdomain (c-71-63-131-226.hsd1.or.comcast.net. [71.63.131.226]) by smtp.gmail.com with ESMTPSA id j128sm76840898pfg.28.2019.08.01.10.45.19 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 01 Aug 2019 10:45:19 -0700 (PDT) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer Date: Thu, 1 Aug 2019 10:45:17 -0700 Message-Id: <20190801174517.24507-2-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190801174517.24507-1-connor.kuehl@canonical.com> References: <20190801174517.24507-1-connor.kuehl@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Denis Efremov CVE-2019-14283 This fixes a global out-of-bounds read access in the copy_buffer function of the floppy driver. The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect and head fields (unsigned int) of the floppy_drive structure are used to compute the max_sector (int) in the make_raw_rw_request function. It is possible to overflow the max_sector. Next, max_sector is passed to the copy_buffer function and used in one of the memcpy calls. An unprivileged user could trigger the bug if the device is accessible, but requires a floppy disk to be inserted. The patch adds the check for the .sect * .head multiplication for not overflowing in the set_geometry function. The bug was found by syzkaller. Signed-off-by: Denis Efremov Tested-by: Willy Tarreau Signed-off-by: Linus Torvalds (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6) Signed-off-by: Connor Kuehl Acked-by: Tyler Hicks Acked-by: Colin Ian King --- drivers/block/floppy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 42ae1d2d8243..7516fed84ae9 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, int cnt; /* sanity checking for parameters. */ - if (g->sect <= 0 || - g->head <= 0 || + if ((int)g->sect <= 0 || + (int)g->head <= 0 || + /* check for overflow in max_sector */ + (int)(g->sect * g->head) <= 0 || /* check for zero in F_SECT_PER_TRACK */ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||