linux/drivers/block
Denis Efremov da99466ac2 floppy: fix out-of-bounds read in copy_buffer
This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:50 -07:00
..
aoe block: aoe: no need to check return value of debugfs_create functions 2019-06-04 13:38:23 -06:00
drbd treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 91 2019-05-24 17:37:53 +02:00
mtip32xx mtip32xx: also set max_segment_size in the device 2019-06-05 13:18:39 -06:00
paride Linux 5.1-rc6 2019-04-22 09:47:36 -06:00
rsxx rsxx: don't call dma_set_max_seg_size 2019-06-05 13:18:39 -06:00
xen-blkback treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
zram treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
amiflop.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ataflop.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
brd.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
cryptoloop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 30 2019-05-24 17:27:10 +02:00
floppy.c floppy: fix out-of-bounds read in copy_buffer 2019-07-17 14:45:50 -07:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
loop.c loop: Don't change loop device under exclusive opener 2019-05-27 07:34:04 -06:00
loop.h block/loop: Use global lock for ioctl() operation. 2018-11-08 06:30:11 -07:00
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
nbd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 127 2019-05-30 11:25:13 -07:00
null_blk_main.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
null_blk_zoned.c null_blk: remove duplicate check for report zone 2019-06-13 03:00:30 -06:00
null_blk.h null_blk: add zoned config support information 2019-01-06 10:58:27 -07:00
pktcdvd.c block: genhd: remove async_events field 2019-04-12 13:35:22 -06:00
ps3disk.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 164 2019-05-30 11:26:38 -07:00
ps3vram.c block/ps3vram: Use %llu to format sector_t after LBDAF removal 2019-06-13 03:17:50 -06:00
rbd_types.h
rbd.c rbd: don't assert on writes to snapshots 2019-05-07 19:43:04 +02:00
skd_main.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 2019-06-19 17:09:53 +02:00
skd_s1120.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 2019-06-19 17:09:53 +02:00
sunvdc.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
swim3.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim_asm.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sx8.c sx8: use a per-host tag_set 2018-11-09 08:14:14 -07:00
umem.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 349 2019-06-05 17:37:08 +02:00
umem.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 348 2019-06-05 17:37:08 +02:00
virtio_blk.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xen-blkfront.c xen-blkfront: switch kcalloc to kvcalloc for large array allocation 2019-06-03 22:16:19 -04:00
xsysace.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
z2ram.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00