• D
    floppy: fix out-of-bounds read in copy_buffer · da99466a
    Denis Efremov 提交于
    This fixes a global out-of-bounds read access in the copy_buffer
    function of the floppy driver.
    
    The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
    and head fields (unsigned int) of the floppy_drive structure are used to
    compute the max_sector (int) in the make_raw_rw_request function.  It is
    possible to overflow the max_sector.  Next, max_sector is passed to the
    copy_buffer function and used in one of the memcpy calls.
    
    An unprivileged user could trigger the bug if the device is accessible,
    but requires a floppy disk to be inserted.
    
    The patch adds the check for the .sect * .head multiplication for not
    overflowing in the set_geometry function.
    
    The bug was found by syzkaller.
    Signed-off-by: NDenis Efremov <efremov@ispras.ru>
    Tested-by: NWilly Tarreau <w@1wt.eu>
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    da99466a
floppy.c 127.4 KB