floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)

debian/changelog

@@ -8,6 +8,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium
   * binder: fix race between munmap() and direct reclaim (CVE-2019-1999)
   * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
   * Input: gtco - bounds check collection indent level (CVE-2019-13631)
+  * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
 
  -- Romain Perier <romain.perier@gmail.com>  Mon, 22 Jul 2019 14:00:00 +0200
 

debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch

@@ -0,0 +1,53 @@
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:23 +0300
+Subject: floppy: fix out-of-bounds read in copy_buffer
+Origin: https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14283
+
+[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
+
+This fixes a global out-of-bounds read access in the copy_buffer
+function of the floppy driver.
+
+The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
+and head fields (unsigned int) of the floppy_drive structure are used to
+compute the max_sector (int) in the make_raw_rw_request function.  It is
+possible to overflow the max_sector.  Next, max_sector is passed to the
+copy_buffer function and used in one of the memcpy calls.
+
+An unprivileged user could trigger the bug if the device is accessible,
+but requires a floppy disk to be inserted.
+
+The patch adds the check for the .sect * .head multiplication for not
+overflowing in the set_geometry function.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index a8de56f1936d..43e96f821aff 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ 	int cnt;
+ 
+ 	/* sanity checking for parameters. */
+-	if (g->sect <= 0 ||
+-	    g->head <= 0 ||
++	if ((int)g->sect <= 0 ||
++	    (int)g->head <= 0 ||
++	    /* check for overflow in max_sector */
++	    (int)(g->sect * g->head) <= 0 ||
+ 	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ 	    /* check if reserved bits are set */
+ 	    (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+-- 
+2.20.1
+

debian/patches/series

@@ -235,6 +235,7 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p
 bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch
 bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch
 bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
+bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch