floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)

This retrieves the patch from the linux-4.19.y branch and refreshes the
previous one "floppy: fix out-of-bounds read in copy_buffer", because
this is firstly "floppy: fix div-by-zero in setup_format_params" that is
applied upstream, then the one regarding out-of-bounds read in copy_buffer.
The one for CVE-2019-14283 was previously refreshed because it was not
applicable directly. Now both patches are synchronized with upstream and
applied in the same order.

debian/changelog

@@ -10,6 +10,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium
   * Input: gtco - bounds check collection indent level (CVE-2019-13631)
   * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
   * inet: switch IP ID generator to siphash (CVE-2019-10638)
+  * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
 
  -- Romain Perier <romain.perier@gmail.com>  Mon, 22 Jul 2019 14:00:00 +0200
 

debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch

@@ -0,0 +1,64 @@
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:20 +0300
+Subject: floppy: fix div-by-zero in setup_format_params
+Origin: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14284
+
+[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
+
+This fixes a divide by zero error in the setup_format_params function of
+the floppy driver.
+
+Two consecutive ioctls can trigger the bug: The first one should set the
+drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
+to become zero.  Next, the floppy format operation should be called.
+
+A floppy disk is not required to be inserted.  An unprivileged user
+could trigger the bug if the device is accessible.
+
+The patch checks F_SECT_PER_TRACK for a non-zero value in the
+set_geometry function.  The proper check should involve a reasonable
+upper limit for the .sect and .rate fields, but it could change the
+UAPI.
+
+The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
+cancels the formatting operation in case of zero.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+(limited to 'drivers/block/floppy.c')
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index a8de56f1936d..b1425b218606 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -2119,6 +2119,9 @@ static void setup_format_params(int track)
+ 	raw_cmd->kernel_data = floppy_track_buffer;
+ 	raw_cmd->length = 4 * F_SECT_PER_TRACK;
+ 
++	if (!F_SECT_PER_TRACK)
++		return;
++
+ 	/* allow for about 30ms for data transport per track */
+ 	head_shift = (F_SECT_PER_TRACK + 5) / 6;
+ 
+@@ -3243,6 +3246,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ 	/* sanity checking for parameters. */
+ 	if (g->sect <= 0 ||
+ 	    g->head <= 0 ||
++	    /* check for zero in F_SECT_PER_TRACK */
++	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ 	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ 	    /* check if reserved bits are set */
+ 	    (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+-- 
+cgit 1.2-0.3.lf.el7
+

debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch

@@ -31,11 +31,13 @@ Signed-off-by: Sasha Levin <sashal@kernel.org>
  drivers/block/floppy.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
+(limited to 'drivers/block/floppy.c')
+
 diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
-index a8de56f1936d..43e96f821aff 100644
+index 8d69a8af8b78..4a9a4d12721a 100644
 --- a/drivers/block/floppy.c
 +++ b/drivers/block/floppy.c
-@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+@@ -3244,8 +3244,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
  	int cnt;
  
  	/* sanity checking for parameters. */
@@ -45,9 +47,9 @@ index a8de56f1936d..43e96f821aff 100644
 +	    (int)g->head <= 0 ||
 +	    /* check for overflow in max_sector */
 +	    (int)(g->sect * g->head) <= 0 ||
+ 	    /* check for zero in F_SECT_PER_TRACK */
+ 	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
  	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
- 	    /* check if reserved bits are set */
- 	    (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
 -- 
-2.20.1
+cgit 1.2-0.3.lf.el7
 

debian/patches/series

@@ -235,8 +235,9 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p
 bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch
 bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch
 bugfix/all/input-gtco-bounds-check-collection-indent-level.patch
-bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
 bugfix/all/net-switch-IP-ID-generator-to-siphash.patch
+bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch
+bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch