• Denis Efremov's avatar
    floppy: fix div-by-zero in setup_format_params · f3554aeb
    Denis Efremov authored
    This fixes a divide by zero error in the setup_format_params function of
    the floppy driver.
    
    Two consecutive ioctls can trigger the bug: The first one should set the
    drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
    to become zero.  Next, the floppy format operation should be called.
    
    A floppy disk is not required to be inserted.  An unprivileged user
    could trigger the bug if the device is accessible.
    
    The patch checks F_SECT_PER_TRACK for a non-zero value in the
    set_geometry function.  The proper check should involve a reasonable
    upper limit for the .sect and .rate fields, but it could change the
    UAPI.
    
    The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
    cancels the formatting operation in case of zero.
    
    The bug was found by syzkaller.
    Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
    Tested-by: default avatarWilly Tarreau <w@1wt.eu>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    f3554aeb
floppy.c 127 KB