5e8174e74d
commit da99466ac243f15fbba65bd261bfc75ffa1532b6 upstream. This fixes a global out-of-bounds read access in the copy_buffer function of the floppy driver. The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect and head fields (unsigned int) of the floppy_drive structure are used to compute the max_sector (int) in the make_raw_rw_request function. It is possible to overflow the max_sector. Next, max_sector is passed to the copy_buffer function and used in one of the memcpy calls. An unprivileged user could trigger the bug if the device is accessible, but requires a floppy disk to be inserted. The patch adds the check for the .sect * .head multiplication for not overflowing in the set_geometry function. The bug was found by syzkaller. Signed-off-by: Denis Efremov <efremov@ispras.ru> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2019-14283 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org> Change-Id: Idb3e900d17920e6339b862419018f4740a7d4caf |
||
---|---|---|
.. | ||
aoe | ||
drbd | ||
mtip32xx | ||
paride | ||
xen-blkback | ||
zram | ||
DAC960.c | ||
DAC960.h | ||
Kconfig | ||
Makefile | ||
amiflop.c | ||
ataflop.c | ||
brd.c | ||
cciss.c | ||
cciss.h | ||
cciss_cmd.h | ||
cciss_scsi.c | ||
cciss_scsi.h | ||
cpqarray.c | ||
cpqarray.h | ||
cryptoloop.c | ||
floppy.c | ||
hd.c | ||
ida_cmd.h | ||
ida_ioctl.h | ||
loop.c | ||
mg_disk.c | ||
nbd.c | ||
nvme.c | ||
osdblk.c | ||
pktcdvd.c | ||
ps3disk.c | ||
ps3vram.c | ||
rbd.c | ||
rbd_types.h | ||
smart1,2.h | ||
sunvdc.c | ||
swim.c | ||
swim3.c | ||
swim_asm.S | ||
sx8.c | ||
ub.c | ||
umem.c | ||
umem.h | ||
virtio_blk.c | ||
xd.c | ||
xd.h | ||
xen-blkfront.c | ||
xsysace.c | ||
z2ram.c |