floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
This commit is contained in:
parent
e890639fa7
commit
4962cdb584
|
@ -8,6 +8,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium
|
|||
* binder: fix race between munmap() and direct reclaim (CVE-2019-1999)
|
||||
* scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
|
||||
* Input: gtco - bounds check collection indent level (CVE-2019-13631)
|
||||
* floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
|
||||
|
||||
-- Romain Perier <romain.perier@gmail.com> Mon, 22 Jul 2019 14:00:00 +0200
|
||||
|
||||
|
|
53
debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
vendored
Normal file
53
debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
vendored
Normal file
|
@ -0,0 +1,53 @@
|
|||
From: Denis Efremov <efremov@ispras.ru>
|
||||
Date: Fri, 12 Jul 2019 21:55:23 +0300
|
||||
Subject: floppy: fix out-of-bounds read in copy_buffer
|
||||
Origin: https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14283
|
||||
|
||||
[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
|
||||
|
||||
This fixes a global out-of-bounds read access in the copy_buffer
|
||||
function of the floppy driver.
|
||||
|
||||
The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
|
||||
and head fields (unsigned int) of the floppy_drive structure are used to
|
||||
compute the max_sector (int) in the make_raw_rw_request function. It is
|
||||
possible to overflow the max_sector. Next, max_sector is passed to the
|
||||
copy_buffer function and used in one of the memcpy calls.
|
||||
|
||||
An unprivileged user could trigger the bug if the device is accessible,
|
||||
but requires a floppy disk to be inserted.
|
||||
|
||||
The patch adds the check for the .sect * .head multiplication for not
|
||||
overflowing in the set_geometry function.
|
||||
|
||||
The bug was found by syzkaller.
|
||||
|
||||
Signed-off-by: Denis Efremov <efremov@ispras.ru>
|
||||
Tested-by: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
---
|
||||
drivers/block/floppy.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
||||
index a8de56f1936d..43e96f821aff 100644
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
|
||||
int cnt;
|
||||
|
||||
/* sanity checking for parameters. */
|
||||
- if (g->sect <= 0 ||
|
||||
- g->head <= 0 ||
|
||||
+ if ((int)g->sect <= 0 ||
|
||||
+ (int)g->head <= 0 ||
|
||||
+ /* check for overflow in max_sector */
|
||||
+ (int)(g->sect * g->head) <= 0 ||
|
||||
g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
|
||||
/* check if reserved bits are set */
|
||||
(g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -235,6 +235,7 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p
|
|||
bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch
|
||||
bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch
|
||||
bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
|
||||
bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue