d105eaf5fb
[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] This fixes a global out-of-bounds read access in the copy_buffer function of the floppy driver. The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect and head fields (unsigned int) of the floppy_drive structure are used to compute the max_sector (int) in the make_raw_rw_request function. It is possible to overflow the max_sector. Next, max_sector is passed to the copy_buffer function and used in one of the memcpy calls. An unprivileged user could trigger the bug if the device is accessible, but requires a floppy disk to be inserted. The patch adds the check for the .sect * .head multiplication for not overflowing in the set_geometry function. The bug was found by syzkaller. Signed-off-by: Denis Efremov <efremov@ispras.ru> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| aoe | ||
| drbd | ||
| mtip32xx | ||
| paride | ||
| rsxx | ||
| xen-blkback | ||
| zram | ||
| amiflop.c | ||
| ataflop.c | ||
| brd.c | ||
| cciss.c | ||
| cciss.h | ||
| cciss_cmd.h | ||
| cciss_scsi.c | ||
| cciss_scsi.h | ||
| cpqarray.c | ||
| cpqarray.h | ||
| cryptoloop.c | ||
| DAC960.c | ||
| DAC960.h | ||
| floppy.c | ||
| hd.c | ||
| ida_cmd.h | ||
| ida_ioctl.h | ||
| Kconfig | ||
| loop.c | ||
| loop.h | ||
| Makefile | ||
| mg_disk.c | ||
| nbd.c | ||
| null_blk.c | ||
| osdblk.c | ||
| pktcdvd.c | ||
| ps3disk.c | ||
| ps3vram.c | ||
| rbd.c | ||
| rbd_types.h | ||
| skd_main.c | ||
| skd_s1120.h | ||
| smart1,2.h | ||
| sunvdc.c | ||
| swim.c | ||
| swim3.c | ||
| swim_asm.S | ||
| sx8.c | ||
| umem.c | ||
| umem.h | ||
| virtio_blk.c | ||
| xen-blkfront.c | ||
| xsysace.c | ||
| z2ram.c | ||