• Denis Efremov's avatar
    floppy: fix out-of-bounds read in copy_buffer · 0a67173b
    Denis Efremov authored
    [ Upstream commit da99466a ]
    
    This fixes a global out-of-bounds read access in the copy_buffer
    function of the floppy driver.
    
    The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
    and head fields (unsigned int) of the floppy_drive structure are used to
    compute the max_sector (int) in the make_raw_rw_request function.  It is
    possible to overflow the max_sector.  Next, max_sector is passed to the
    copy_buffer function and used in one of the memcpy calls.
    
    An unprivileged user could trigger the bug if the device is accessible,
    but requires a floppy disk to be inserted.
    
    The patch adds the check for the .sect * .head multiplication for not
    overflowing in the set_geometry function.
    
    The bug was found by syzkaller.
    Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
    Tested-by: default avatarWilly Tarreau <w@1wt.eu>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    0a67173b
floppy.c 127 KB