From ec64cb4c87c6bab01550ba7dc241f3e8252ecc88 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 5 Aug 2019 17:50:40 +0200 Subject: [PATCH] floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) This retrieves the patch from the linux-4.19.y branch and refreshes the previous one "floppy: fix out-of-bounds read in copy_buffer", because this is firstly "floppy: fix div-by-zero in setup_format_params" that is applied upstream, then the one regarding out-of-bounds read in copy_buffer. The one for CVE-2019-14283 was previously refreshed because it was not applicable directly. Now both patches are synchronized with upstream and applied in the same order. --- debian/changelog | 1 + ...x-div-by-zero-in-setup_format_params.patch | 64 +++++++++++++++++++ ...ix-out-of-bounds-read-in-copy_buffer.patch | 12 ++-- debian/patches/series | 3 +- 4 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch diff --git a/debian/changelog b/debian/changelog index f3f3b389e..1a3cda3be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * Input: gtco - bounds check collection indent level (CVE-2019-13631) * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) * inet: switch IP ID generator to siphash (CVE-2019-10638) + * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch b/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch new file mode 100644 index 000000000..cb8b8bae0 --- /dev/null +++ b/debian/patches/bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch @@ -0,0 +1,64 @@ +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:20 +0300 +Subject: floppy: fix div-by-zero in setup_format_params +Origin: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14284 + +[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] + +This fixes a divide by zero error in the setup_format_params function of +the floppy driver. + +Two consecutive ioctls can trigger the bug: The first one should set the +drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK +to become zero. Next, the floppy format operation should be called. + +A floppy disk is not required to be inserted. An unprivileged user +could trigger the bug if the device is accessible. + +The patch checks F_SECT_PER_TRACK for a non-zero value in the +set_geometry function. The proper check should involve a reasonable +upper limit for the .sect and .rate fields, but it could change the +UAPI. + +The patch also checks F_SECT_PER_TRACK in the setup_format_params, and +cancels the formatting operation in case of zero. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +(limited to 'drivers/block/floppy.c') + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a8de56f1936d..b1425b218606 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -2119,6 +2119,9 @@ static void setup_format_params(int track) + raw_cmd->kernel_data = floppy_track_buffer; + raw_cmd->length = 4 * F_SECT_PER_TRACK; + ++ if (!F_SECT_PER_TRACK) ++ return; ++ + /* allow for about 30ms for data transport per track */ + head_shift = (F_SECT_PER_TRACK + 5) / 6; + +@@ -3243,6 +3246,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + /* sanity checking for parameters. */ + if (g->sect <= 0 || + g->head <= 0 || ++ /* check for zero in F_SECT_PER_TRACK */ ++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch index 3eb5630d6..5df95a35d 100644 --- a/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +++ b/debian/patches/bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -31,11 +31,13 @@ Signed-off-by: Sasha Levin drivers/block/floppy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) +(limited to 'drivers/block/floppy.c') + diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index a8de56f1936d..43e96f821aff 100644 +index 8d69a8af8b78..4a9a4d12721a 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c -@@ -3241,8 +3241,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, +@@ -3244,8 +3244,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, int cnt; /* sanity checking for parameters. */ @@ -45,9 +47,9 @@ index a8de56f1936d..43e96f821aff 100644 + (int)g->head <= 0 || + /* check for overflow in max_sector */ + (int)(g->sect * g->head) <= 0 || + /* check for zero in F_SECT_PER_TRACK */ + (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || - /* check if reserved bits are set */ - (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) -- -2.20.1 +cgit 1.2-0.3.lf.el7 diff --git a/debian/patches/series b/debian/patches/series index 2687b28f0..178ae62e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -235,8 +235,9 @@ bugfix/all/nfc-Ensure-presence-of-required-attributes-in-the-deactivate_target.p bugfix/all/binder-fix-race-between-munmap-and-direct-reclaim.patch bugfix/all/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch bugfix/all/input-gtco-bounds-check-collection-indent-level.patch -bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch bugfix/all/net-switch-IP-ID-generator-to-siphash.patch +bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch +bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch