diff options
| author | Denis Efremov <efremov@ispras.ru> | 2019-07-12 21:55:23 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-26 10:14:18 +0300 |
| commit | ff54c44f103825a426e46d08b5d3d76e44791a87 (patch) | |
| tree | 48d38c8891793ac33ded4c9c6b643a2ce542c312 /drivers/xen | |
| parent | a9444d9d0f6f47a7894a5762d25f9ed0965188c6 (diff) | |
| download | linux-ff54c44f103825a426e46d08b5d3d76e44791a87.tar.xz | |
floppy: fix out-of-bounds read in copy_buffer
[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.
The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function. It is
possible to overflow the max_sector. Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.
An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.
The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/xen')
0 files changed, 0 insertions, 0 deletions