From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Denis Efremov <efremov@ispras.ru>, Willy Tarreau <w@1wt.eu>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 21/23] floppy: fix div-by-zero in setup_format_params
Date: Fri, 26 Jul 2019 09:45:20 -0400 [thread overview]
Message-ID: <20190726134522.13308-21-sashal@kernel.org> (raw)
In-Reply-To: <20190726134522.13308-1-sashal@kernel.org>
From: Denis Efremov <efremov@ispras.ru>
[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
This fixes a divide by zero error in the setup_format_params function of
the floppy driver.
Two consecutive ioctls can trigger the bug: The first one should set the
drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
to become zero. Next, the floppy format operation should be called.
A floppy disk is not required to be inserted. An unprivileged user
could trigger the bug if the device is accessible.
The patch checks F_SECT_PER_TRACK for a non-zero value in the
set_geometry function. The proper check should involve a reasonable
upper limit for the .sect and .rate fields, but it could change the
UAPI.
The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
cancels the formatting operation in case of zero.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/floppy.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 2daa5b84abbc..42ae1d2d8243 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
raw_cmd->kernel_data = floppy_track_buffer;
raw_cmd->length = 4 * F_SECT_PER_TRACK;
+ if (!F_SECT_PER_TRACK)
+ return;
+
/* allow for about 30ms for data transport per track */
head_shift = (F_SECT_PER_TRACK + 5) / 6;
@@ -3235,6 +3238,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
/* sanity checking for parameters. */
if (g->sect <= 0 ||
g->head <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
/* check if reserved bits are set */
(g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:45 [PATCH AUTOSEL 4.4 01/23] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 02/23] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 03/23] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 04/23] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 05/23] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 06/23] fs/adfs: super: fix use-after-free bug Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 07/23] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 08/23] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 09/23] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 10/23] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 11/23] ISDN: hfcsusb: checking idx of ep configuration Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 12/23] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 13/23] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 14/23] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 15/23] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 16/23] coda: add error handling for fget Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 17/23] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 18/23] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 19/23] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 20/23] ipc/mqueue.c: only perform resource calculation if user valid Sasha Levin
2019-07-26 13:45 ` Sasha Levin [this message]
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 22/23] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 23/23] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134522.13308-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=efremov@ispras.ru \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).