summaryrefslogtreecommitdiffstats
path: root/block
diff options
context:
space:
mode:
authorDenis Efremov <efremov@ispras.ru>2019-07-12 20:55:23 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2019-07-17 23:45:50 +0200
commitda99466ac243f15fbba65bd261bfc75ffa1532b6 (patch)
treea4078e6242803b3e1e5dd294fa0ad5fa52f4f9a3 /block
parentfloppy: fix invalid pointer dereference in drive_name (diff)
downloadlinux-da99466ac243f15fbba65bd261bfc75ffa1532b6.tar.xz
linux-da99466ac243f15fbba65bd261bfc75ffa1532b6.zip
floppy: fix out-of-bounds read in copy_buffer
This fixes a global out-of-bounds read access in the copy_buffer function of the floppy driver. The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect and head fields (unsigned int) of the floppy_drive structure are used to compute the max_sector (int) in the make_raw_rw_request function. It is possible to overflow the max_sector. Next, max_sector is passed to the copy_buffer function and used in one of the memcpy calls. An unprivileged user could trigger the bug if the device is accessible, but requires a floppy disk to be inserted. The patch adds the check for the .sect * .head multiplication for not overflowing in the set_geometry function. The bug was found by syzkaller. Signed-off-by: Denis Efremov <efremov@ispras.ru> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'block')
0 files changed, 0 insertions, 0 deletions