• Linus Torvalds's avatar
    floppy: check FDC index for errors before assigning it · 9bf90025
    Linus Torvalds authored
    BugLink: https://bugs.launchpad.net/bugs/1868627
    
    commit 2e90ca68 upstream.
    
    Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in
    wait_til_ready().
    
    Which on the face of it can't happen, since as Willy Tarreau points out,
    the function does no particular memory access.  Except through the FDCS
    macro, which just indexes a static allocation through teh current fdc,
    which is always checked against N_FDC.
    
    Except the checking happens after we've already assigned the value.
    
    The floppy driver is a disgrace (a lot of it going back to my original
    horrd "design"), and has no real maintainer.  Nobody has the hardware,
    and nobody really cares.  But it still gets used in virtual environment
    because it's one of those things that everybody supports.
    
    The whole thing should be re-written, or at least parts of it should be
    seriously cleaned up.  The 'current fdc' index, which is used by the
    FDCS macro, and which is often shadowed by a local 'fdc' variable, is a
    prime example of how not to write code.
    
    But because nobody has the hardware or the motivation, let's just fix up
    the immediate problem with a nasty band-aid: test the fdc index before
    actually assigning it to the static 'fdc' variable.
    Reported-by: default avatarJordy Zomer <jordy@simplyhacker.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
    9bf90025
floppy.c 127 KB