[SRU][CVE-2019-14283][X/B/D][PATCH 0/1] floppy: fix out-of-bounds read in copy_buffer

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][CVE-2019-14283][X/B/D][PATCH 0/1] floppy: fix out-of-bounds read in copy_buffer

Connor Kuehl
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14283.html

From the link above:

"In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c
does not validate the sect and head fields, as demonstrated by an integer
overflow and out-of-bounds read. It can be triggered by an unprivileged
local user when a floppy disk has been inserted. NOTE: QEMU creates the
floppy device by default."

**NOTE**: CVE-2019-14284 must be applied first for this patch to cherry pick
cleanly. As of this writing, that patch has already been sent to the
mailing list [1] and has enough ACKs to be applied.

[1] https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html

Denis Efremov (1):
  floppy: fix out-of-bounds read in copy_buffer

 drivers/block/floppy.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Connor Kuehl
From: Denis Efremov <[hidden email]>

CVE-2019-14283

This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <[hidden email]>
Tested-by: Willy Tarreau <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>
(cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
Signed-off-by: Connor Kuehl <[hidden email]>
---
 drivers/block/floppy.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 42ae1d2d8243..7516fed84ae9 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
  int cnt;
 
  /* sanity checking for parameters. */
- if (g->sect <= 0 ||
-    g->head <= 0 ||
+ if ((int)g->sect <= 0 ||
+    (int)g->head <= 0 ||
+    /* check for overflow in max_sector */
+    (int)(g->sect * g->head) <= 0 ||
     /* check for zero in F_SECT_PER_TRACK */
     (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
     g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Tyler Hicks-2
On 2019-08-01 10:45:17, Connor Kuehl wrote:

> From: Denis Efremov <[hidden email]>
>
> CVE-2019-14283
>
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
>
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
>
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
>
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
>
> The bug was found by syzkaller.
>
> Signed-off-by: Denis Efremov <[hidden email]>
> Tested-by: Willy Tarreau <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <[hidden email]>

Acked-by: Tyler Hicks <[hidden email]>

Tyler

> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>   int cnt;
>  
>   /* sanity checking for parameters. */
> - if (g->sect <= 0 ||
> -    g->head <= 0 ||
> + if ((int)g->sect <= 0 ||
> +    (int)g->head <= 0 ||
> +    /* check for overflow in max_sector */
> +    (int)(g->sect * g->head) <= 0 ||
>      /* check for zero in F_SECT_PER_TRACK */
>      (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>      g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> --
> 2.20.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Colin Ian King-2
In reply to this post by Connor Kuehl
On 01/08/2019 18:45, Connor Kuehl wrote:

> From: Denis Efremov <[hidden email]>
>
> CVE-2019-14283
>
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
>
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
>
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
>
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
>
> The bug was found by syzkaller.
>
> Signed-off-by: Denis Efremov <[hidden email]>
> Tested-by: Willy Tarreau <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <[hidden email]>
> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>   int cnt;
>  
>   /* sanity checking for parameters. */
> - if (g->sect <= 0 ||
> -    g->head <= 0 ||
> + if ((int)g->sect <= 0 ||
> +    (int)g->head <= 0 ||
> +    /* check for overflow in max_sector */
> +    (int)(g->sect * g->head) <= 0 ||
>      /* check for zero in F_SECT_PER_TRACK */
>      (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>      g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
>

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Khaled Elmously
In reply to this post by Connor Kuehl
On 2019-08-01 10:45:17 , Connor Kuehl wrote:

> From: Denis Efremov <[hidden email]>
>
> CVE-2019-14283
>
> This fixes a global out-of-bounds read access in the copy_buffer
> function of the floppy driver.
>
> The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> and head fields (unsigned int) of the floppy_drive structure are used to
> compute the max_sector (int) in the make_raw_rw_request function.  It is
> possible to overflow the max_sector.  Next, max_sector is passed to the
> copy_buffer function and used in one of the memcpy calls.
>
> An unprivileged user could trigger the bug if the device is accessible,
> but requires a floppy disk to be inserted.
>
> The patch adds the check for the .sect * .head multiplication for not
> overflowing in the set_geometry function.
>
> The bug was found by syzkaller.
>
> Signed-off-by: Denis Efremov <[hidden email]>
> Tested-by: Willy Tarreau <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> Signed-off-by: Connor Kuehl <[hidden email]>
> ---
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 42ae1d2d8243..7516fed84ae9 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
>   int cnt;
>  
>   /* sanity checking for parameters. */
> - if (g->sect <= 0 ||
> -    g->head <= 0 ||
> + if ((int)g->sect <= 0 ||
> +    (int)g->head <= 0 ||
> +    /* check for overflow in max_sector */
> +    (int)(g->sect * g->head) <= 0 ||
>      /* check for zero in F_SECT_PER_TRACK */
>      (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
>      g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||


Hmm...This patch doesn't seem to apply to any of X or B or D.

Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.

Connor, could you please double check?

Thanks

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Po-Hsu Lin (Sam)
This will need the patch for CVE-2019-14284 to be landed first.
https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html

On Wed, Aug 7, 2019 at 11:37 AM Khaled Elmously
<[hidden email]> wrote:

>
> On 2019-08-01 10:45:17 , Connor Kuehl wrote:
> > From: Denis Efremov <[hidden email]>
> >
> > CVE-2019-14283
> >
> > This fixes a global out-of-bounds read access in the copy_buffer
> > function of the floppy driver.
> >
> > The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> > and head fields (unsigned int) of the floppy_drive structure are used to
> > compute the max_sector (int) in the make_raw_rw_request function.  It is
> > possible to overflow the max_sector.  Next, max_sector is passed to the
> > copy_buffer function and used in one of the memcpy calls.
> >
> > An unprivileged user could trigger the bug if the device is accessible,
> > but requires a floppy disk to be inserted.
> >
> > The patch adds the check for the .sect * .head multiplication for not
> > overflowing in the set_geometry function.
> >
> > The bug was found by syzkaller.
> >
> > Signed-off-by: Denis Efremov <[hidden email]>
> > Tested-by: Willy Tarreau <[hidden email]>
> > Signed-off-by: Linus Torvalds <[hidden email]>
> > (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> > Signed-off-by: Connor Kuehl <[hidden email]>
> > ---
> >  drivers/block/floppy.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> > index 42ae1d2d8243..7516fed84ae9 100644
> > --- a/drivers/block/floppy.c
> > +++ b/drivers/block/floppy.c
> > @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> >       int cnt;
> >
> >       /* sanity checking for parameters. */
> > -     if (g->sect <= 0 ||
> > -         g->head <= 0 ||
> > +     if ((int)g->sect <= 0 ||
> > +         (int)g->head <= 0 ||
> > +         /* check for overflow in max_sector */
> > +         (int)(g->sect * g->head) <= 0 ||
> >           /* check for zero in F_SECT_PER_TRACK */
> >           (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> >           g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
>
>
> Hmm...This patch doesn't seem to apply to any of X or B or D.
>
> Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.
>
> Connor, could you please double check?
>
> Thanks
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][CVE-2019-14283][X/B/D][PATCH 1/1] floppy: fix out-of-bounds read in copy_buffer

Khaled Elmously
Yep - thanks Sam!


On 2019-08-07 12:51:32 , Po-Hsu Lin wrote:

> This will need the patch for CVE-2019-14284 to be landed first.
> https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html
>
> On Wed, Aug 7, 2019 at 11:37 AM Khaled Elmously
> <[hidden email]> wrote:
> >
> > On 2019-08-01 10:45:17 , Connor Kuehl wrote:
> > > From: Denis Efremov <[hidden email]>
> > >
> > > CVE-2019-14283
> > >
> > > This fixes a global out-of-bounds read access in the copy_buffer
> > > function of the floppy driver.
> > >
> > > The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
> > > and head fields (unsigned int) of the floppy_drive structure are used to
> > > compute the max_sector (int) in the make_raw_rw_request function.  It is
> > > possible to overflow the max_sector.  Next, max_sector is passed to the
> > > copy_buffer function and used in one of the memcpy calls.
> > >
> > > An unprivileged user could trigger the bug if the device is accessible,
> > > but requires a floppy disk to be inserted.
> > >
> > > The patch adds the check for the .sect * .head multiplication for not
> > > overflowing in the set_geometry function.
> > >
> > > The bug was found by syzkaller.
> > >
> > > Signed-off-by: Denis Efremov <[hidden email]>
> > > Tested-by: Willy Tarreau <[hidden email]>
> > > Signed-off-by: Linus Torvalds <[hidden email]>
> > > (cherry picked from commit da99466ac243f15fbba65bd261bfc75ffa1532b6)
> > > Signed-off-by: Connor Kuehl <[hidden email]>
> > > ---
> > >  drivers/block/floppy.c | 6 ++++--
> > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> > > index 42ae1d2d8243..7516fed84ae9 100644
> > > --- a/drivers/block/floppy.c
> > > +++ b/drivers/block/floppy.c
> > > @@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> > >       int cnt;
> > >
> > >       /* sanity checking for parameters. */
> > > -     if (g->sect <= 0 ||
> > > -         g->head <= 0 ||
> > > +     if ((int)g->sect <= 0 ||
> > > +         (int)g->head <= 0 ||
> > > +         /* check for overflow in max_sector */
> > > +         (int)(g->sect * g->head) <= 0 ||
> > >           /* check for zero in F_SECT_PER_TRACK */
> > >           (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> > >           g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> >
> >
> > Hmm...This patch doesn't seem to apply to any of X or B or D.
> >
> > Looks like this patch is the upstream patch exactly but it appears the upstream patch actually needs some (minor?) backport work.
> >
> > Connor, could you please double check?
> >
> > Thanks
> >
> > --
> > kernel-team mailing list
> > [hidden email]
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][CVE-2019-14283][X/B/D][PATCH 0/1] floppy: fix out-of-bounds read in copy_buffer

Khaled Elmously
In reply to this post by Connor Kuehl
On 2019-08-01 10:45:16 , Connor Kuehl wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14283.html
>
> From the link above:
>
> "In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c
> does not validate the sect and head fields, as demonstrated by an integer
> overflow and out-of-bounds read. It can be triggered by an unprivileged
> local user when a floppy disk has been inserted. NOTE: QEMU creates the
> floppy device by default."
>
> **NOTE**: CVE-2019-14284 must be applied first for this patch to cherry pick
> cleanly. As of this writing, that patch has already been sent to the
> mailing list [1] and has enough ACKs to be applied.
>
> [1] https://lists.ubuntu.com/archives/kernel-team/2019-July/102711.html
>
> Denis Efremov (1):
>   floppy: fix out-of-bounds read in copy_buffer
>
>  drivers/block/floppy.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> --
> 2.20.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team