diff options
author | Denis Efremov <efremov@ispras.ru> | 2019-07-12 20:55:23 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-17 23:45:50 +0200 |
commit | da99466ac243f15fbba65bd261bfc75ffa1532b6 (patch) | |
tree | a4078e6242803b3e1e5dd294fa0ad5fa52f4f9a3 /block | |
parent | floppy: fix invalid pointer dereference in drive_name (diff) | |
download | linux-da99466ac243f15fbba65bd261bfc75ffa1532b6.tar.xz linux-da99466ac243f15fbba65bd261bfc75ffa1532b6.zip |
floppy: fix out-of-bounds read in copy_buffer
This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.
The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function. It is
possible to overflow the max_sector. Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.
An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.
The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'block')
0 files changed, 0 insertions, 0 deletions