From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Denis Efremov <efremov@ispras.ru>, Willy Tarreau <w@1wt.eu>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 30/37] floppy: fix div-by-zero in setup_format_params
Date: Fri, 26 Jul 2019 09:43:25 -0400 [thread overview]
Message-ID: <20190726134332.12626-30-sashal@kernel.org> (raw)
In-Reply-To: <20190726134332.12626-1-sashal@kernel.org>
From: Denis Efremov <efremov@ispras.ru>
[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
This fixes a divide by zero error in the setup_format_params function of
the floppy driver.
Two consecutive ioctls can trigger the bug: The first one should set the
drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
to become zero. Next, the floppy format operation should be called.
A floppy disk is not required to be inserted. An unprivileged user
could trigger the bug if the device is accessible.
The patch checks F_SECT_PER_TRACK for a non-zero value in the
set_geometry function. The proper check should involve a reasonable
upper limit for the .sect and .rate fields, but it could change the
UAPI.
The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
cancels the formatting operation in case of zero.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/floppy.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 3ea9c3e9acb3..4c6c20376a83 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -2114,6 +2114,9 @@ static void setup_format_params(int track)
raw_cmd->kernel_data = floppy_track_buffer;
raw_cmd->length = 4 * F_SECT_PER_TRACK;
+ if (!F_SECT_PER_TRACK)
+ return;
+
/* allow for about 30ms for data transport per track */
head_shift = (F_SECT_PER_TRACK + 5) / 6;
@@ -3238,6 +3241,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
/* sanity checking for parameters. */
if (g->sect <= 0 ||
g->head <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
/* check if reserved bits are set */
(g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:44 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:42 [PATCH AUTOSEL 4.14 01/37] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 02/37] ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 03/37] ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 04/37] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 05/37] ftrace: Enable trampoline when rec count returns back to one Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 06/37] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 07/37] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 08/37] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 09/37] clk: tegra210: fix PLLU and PLLU_OUT1 Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 10/37] fs/adfs: super: fix use-after-free bug Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 11/37] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 12/37] cifs: Fix a race condition with cifs_echo_request Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 13/37] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 14/37] ceph: return -ERANGE if virtual xattr value didn't fit in buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 15/37] ACPI: blacklist: fix clang warning for unused DMI table Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 16/37] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 17/37] x86: kvm: avoid constant-conversion warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 18/37] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 19/37] ISDN: hfcsusb: checking idx of ep configuration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 20/37] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 21/37] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 22/37] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 23/37] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 24/37] coda: add error handling for fget Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 25/37] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 26/37] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 27/37] drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 28/37] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 29/37] ipc/mqueue.c: only perform resource calculation if user valid Sasha Levin
2019-07-26 13:43 ` Sasha Levin [this message]
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 31/37] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 32/37] xen: let alloc_xenballooned_pages() fail if not enough memory free Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 33/37] xen/pv: Fix a boot up hang revealed by int3 self test Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 34/37] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 35/37] x86/paravirt: Fix callee-saved function ELF sizes Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 36/37] x86, boot: Remove multiple copy of static function sanitize_boot_params() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 37/37] drm/nouveau: fix memory leak in nouveau_conn_reset() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134332.12626-30-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=efremov@ispras.ru \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox