From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Stefan Haberland <sth@linux.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Sasha Levin <sashal@kernel.org>,
linux-s390@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 05/27] s390/dasd: fix using offset into zero size array error
Date: Mon, 11 Mar 2019 15:58:02 -0400 [thread overview]
Message-ID: <20190311195824.139043-5-sashal@kernel.org> (raw)
In-Reply-To: <20190311195824.139043-1-sashal@kernel.org>
From: Stefan Haberland <sth@linux.ibm.com>
[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
Dan Carpenter reported the following:
The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
checker warning:
drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
error: using offset into zero size array 'psf_data[]'
drivers/s390/block/dasd_eckd.c
4458 /* Copy parms from caller */
4459 rc = -EFAULT;
4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
^^^^^^^
The user can specify any "usrparm.psf_data_len". They choose zero by
mistake.
4461 goto out;
4462 if (is_compat_task()) {
4463 /* Make sure pointers are sane even on 31 bit. */
4464 rc = -EINVAL;
4465 if ((usrparm.psf_data >> 32) != 0)
4466 goto out;
4467 if ((usrparm.rssd_result >> 32) != 0)
4468 goto out;
4469 usrparm.psf_data &= 0x7fffffffULL;
4470 usrparm.rssd_result &= 0x7fffffffULL;
4471 }
4472 /* alloc I/O data area */
4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
| GFP_DMA);
4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
| GFP_DMA);
4475 if (!psf_data || !rssd_result) {
kzalloc() returns a ZERO_SIZE_PTR (0x16).
4476 rc = -ENOMEM;
4477 goto out_free;
4478 }
4479
4480 /* get syscall header from user space */
4481 rc = -EFAULT;
4482 if (copy_from_user(psf_data,
4483 (void __user *)(unsigned long)
usrparm.psf_data,
4484 usrparm.psf_data_len))
That all works great.
4485 goto out_free;
4486 psf0 = psf_data[0];
4487 psf1 = psf_data[1];
But now we're assuming that "->psf_data_len" was at least 2 bytes.
Fix this by checking the user specified length psf_data_len.
Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/block/dasd_eckd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index 4c7c8455da96..0a1e7f9b5239 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -4463,6 +4463,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
usrparm.psf_data &= 0x7fffffffULL;
usrparm.rssd_result &= 0x7fffffffULL;
}
+ /* at least 2 bytes are accessed and should be allocated */
+ if (usrparm.psf_data_len < 2) {
+ DBF_DEV_EVENT(DBF_WARNING, device,
+ "Symmetrix ioctl invalid data length %d",
+ usrparm.psf_data_len);
+ rc = -EINVAL;
+ goto out;
+ }
/* alloc I/O data area */
psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
--
2.19.1
next prev parent reply other threads:[~2019-03-11 20:04 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 19:57 [PATCH AUTOSEL 4.14 01/27] drm/imx: ignore plane updates on disabled crtcs Sasha Levin
2019-03-11 19:57 ` [PATCH AUTOSEL 4.14 02/27] gpu: ipu-v3: Fix i.MX51 CSI control registers offset Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 03/27] drm/imx: imx-ldb: add missing of_node_puts Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 04/27] gpu: ipu-v3: Fix CSI offsets for imx53 Sasha Levin
2019-03-11 19:58 ` Sasha Levin [this message]
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 06/27] Input: pwm-vibra - prevent unbalanced regulator Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 07/27] Input: pwm-vibra - stop regulator after disabling pwm, not before Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 08/27] ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 09/27] ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 10/27] ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 11/27] KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 12/27] ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 13/27] Input: cap11xx - switch to using set_brightness_blocking() Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 14/27] Input: ps2-gpio - flush TX work when closing port Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 15/27] Input: matrix_keypad - use flush_delayed_work() Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 16/27] mac80211: Fix Tx aggregation session tear down with ITXQs Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 17/27] ipvs: fix dependency on nf_defrag_ipv6 Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 18/27] floppy: check_events callback should not return a negative number Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 19/27] NFS: Don't use page_file_mapping after removing the page Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 20/27] mm/gup: fix gup_pmd_range() for dax Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 21/27] Revert "mm: use early_pfn_to_nid in page_ext_init" Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 22/27] mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 23/27] net: hns: Fix object reference leaks in hns_dsaf_roce_reset() Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 24/27] i2c: cadence: Fix the hold bit setting Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 25/27] i2c: bcm2835: Clear current buffer pointers and counts after a transfer Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 26/27] auxdisplay: ht16k33: fix potential user-after-free on module unload Sasha Levin
2019-03-11 19:58 ` [PATCH AUTOSEL 4.14 27/27] Input: st-keyscan - fix potential zalloc NULL dereference Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311195824.139043-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
--cc=sth@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox