5e8174e74d
commit da99466ac243f15fbba65bd261bfc75ffa1532b6 upstream. This fixes a global out-of-bounds read access in the copy_buffer function of the floppy driver. The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect and head fields (unsigned int) of the floppy_drive structure are used to compute the max_sector (int) in the make_raw_rw_request function. It is possible to overflow the max_sector. Next, max_sector is passed to the copy_buffer function and used in one of the memcpy calls. An unprivileged user could trigger the bug if the device is accessible, but requires a floppy disk to be inserted. The patch adds the check for the .sect * .head multiplication for not overflowing in the set_geometry function. The bug was found by syzkaller. Signed-off-by: Denis Efremov <efremov@ispras.ru> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2019-14283 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org> Change-Id: Idb3e900d17920e6339b862419018f4740a7d4caf |
||
|---|---|---|
| .. | ||
| aoe | ||
| drbd | ||
| mtip32xx | ||
| paride | ||
| xen-blkback | ||
| zram | ||
| DAC960.c | ||
| DAC960.h | ||
| Kconfig | ||
| Makefile | ||
| amiflop.c | ||
| ataflop.c | ||
| brd.c | ||
| cciss.c | ||
| cciss.h | ||
| cciss_cmd.h | ||
| cciss_scsi.c | ||
| cciss_scsi.h | ||
| cpqarray.c | ||
| cpqarray.h | ||
| cryptoloop.c | ||
| floppy.c | ||
| hd.c | ||
| ida_cmd.h | ||
| ida_ioctl.h | ||
| loop.c | ||
| mg_disk.c | ||
| nbd.c | ||
| nvme.c | ||
| osdblk.c | ||
| pktcdvd.c | ||
| ps3disk.c | ||
| ps3vram.c | ||
| rbd.c | ||
| rbd_types.h | ||
| smart1,2.h | ||
| sunvdc.c | ||
| swim.c | ||
| swim3.c | ||
| swim_asm.S | ||
| sx8.c | ||
| ub.c | ||
| umem.c | ||
| umem.h | ||
| virtio_blk.c | ||
| xd.c | ||
| xd.h | ||
| xen-blkfront.c | ||
| xsysace.c | ||
| z2ram.c | ||