floppy: fix out-of-bounds read in copy_buffer (da99466a) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit da99466a authored Jul 12, 2019 by

Denis Efremov Committed by Linus Torvalds Jul 17, 2019

floppy: fix out-of-bounds read in copy_buffer



This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 9b04609b

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit d105eaf5
· Aug 05, 2019

mentioned in commit d105eaf5

mentioned in commit d105eaf5fb67a193df8fe72e64690c43e343a560

Toggle commit list
mirror @mirror
mentioned in commit 05429983
· Aug 14, 2019

mentioned in commit 05429983

mentioned in commit 05429983fa0fa3bfa1b8436beb63913d9d4aad1a

Toggle commit list

Please register or to comment