From patchwork Thu Feb 27 13:36:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 230397 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10789C52D28 for ; Thu, 27 Feb 2020 14:14:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D9A0424697 for ; Thu, 27 Feb 2020 14:14:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582812854; bh=DPmLCLL0ahSP7fn+LS7OG75V/K+ecstt+63o9yJmvHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=q0nbmZuwBd2S35T2BYinuQr6ZbQFfJw9yMnGy5DzE0IJzOkGgPa4PiUnxNO92dVZy 3MJ4OHv0y8Uh0TdXKG+gC3DhzIVce8QdJ3FVLEREV6vy3zo4Sz0AmgAtvNzJ14HtbO qdxOBiSRpQwluWJK1j80umvx6l9hE+POKsxC5S0U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389092AbgB0OON (ORCPT ); Thu, 27 Feb 2020 09:14:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:53324 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389074AbgB0OOM (ORCPT ); Thu, 27 Feb 2020 09:14:12 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4376E20578; Thu, 27 Feb 2020 14:14:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582812851; bh=DPmLCLL0ahSP7fn+LS7OG75V/K+ecstt+63o9yJmvHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LojfTRajhVlJxB+TDtxIWGpR0WDTGwHihxtPpcTyHd0W4jlhFi8vcp4XRJEpOSurF YRgwLAj6RhoFr3bTMgL3/ABf4lFqx+dS3d5RrLQ7hl/d9Um/Ac2Ie4VBdJRve2jMHa 2yprHEKmIVUO2l/0F8HNYy1d5caepne0yKWVj86g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jordy Zomer , Willy Tarreau , Dan Carpenter , Linus Torvalds Subject: [PATCH 5.5 023/150] floppy: check FDC index for errors before assigning it Date: Thu, 27 Feb 2020 14:36:00 +0100 Message-Id: <20200227132236.206297173@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132232.815448360@linuxfoundation.org> References: <20200227132232.815448360@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Linus Torvalds commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream. Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in wait_til_ready(). Which on the face of it can't happen, since as Willy Tarreau points out, the function does no particular memory access. Except through the FDCS macro, which just indexes a static allocation through teh current fdc, which is always checked against N_FDC. Except the checking happens after we've already assigned the value. The floppy driver is a disgrace (a lot of it going back to my original horrd "design"), and has no real maintainer. Nobody has the hardware, and nobody really cares. But it still gets used in virtual environment because it's one of those things that everybody supports. The whole thing should be re-written, or at least parts of it should be seriously cleaned up. The 'current fdc' index, which is used by the FDCS macro, and which is often shadowed by a local 'fdc' variable, is a prime example of how not to write code. But because nobody has the hardware or the motivation, let's just fix up the immediate problem with a nasty band-aid: test the fdc index before actually assigning it to the static 'fdc' variable. Reported-by: Jordy Zomer Cc: Willy Tarreau Cc: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/block/floppy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -853,14 +853,17 @@ static void reset_fdc_info(int mode) /* selects the fdc and drive, and enables the fdc's input/dma. */ static void set_fdc(int drive) { + unsigned int new_fdc = fdc; + if (drive >= 0 && drive < N_DRIVE) { - fdc = FDC(drive); + new_fdc = FDC(drive); current_drive = drive; } - if (fdc != 1 && fdc != 0) { + if (new_fdc >= N_FDC) { pr_info("bad fdc value\n"); return; } + fdc = new_fdc; set_dor(fdc, ~0, 8); #if N_FDC > 1 set_dor(1 - fdc, ~8, 0);