diff options
| author | Denis Efremov <[email protected]> | 2019-07-12 21:55:23 +0300 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2019-07-17 14:45:50 -0700 |
| commit | da99466ac243f15fbba65bd261bfc75ffa1532b6 (patch) | |
| tree | a4078e6242803b3e1e5dd294fa0ad5fa52f4f9a3 /net/lapb/lapb_subr.c | |
| parent | 9b04609b784027968348796a18f601aed9db3789 (diff) | |
floppy: fix out-of-bounds read in copy_buffer
This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.
The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function. It is
possible to overflow the max_sector. Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.
An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.
The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.
The bug was found by syzkaller.
Signed-off-by: Denis Efremov <[email protected]>
Tested-by: Willy Tarreau <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'net/lapb/lapb_subr.c')
0 files changed, 0 insertions, 0 deletions