linux/drivers/s390/block
Stefan Haberland 4a8ef6999b s390/dasd: fix using offset into zero size array error
Dan Carpenter reported the following:

The patch 52898025cf: "[S390] dasd: security and PSF update patch
for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
checker warning:

	drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
	error: using offset into zero size array 'psf_data[]'

drivers/s390/block/dasd_eckd.c
  4458          /* Copy parms from caller */
  4459          rc = -EFAULT;
  4460          if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
                                    ^^^^^^^
The user can specify any "usrparm.psf_data_len".  They choose zero by
mistake.

  4461                  goto out;
  4462          if (is_compat_task()) {
  4463                  /* Make sure pointers are sane even on 31 bit. */
  4464                  rc = -EINVAL;
  4465                  if ((usrparm.psf_data >> 32) != 0)
  4466                          goto out;
  4467                  if ((usrparm.rssd_result >> 32) != 0)
  4468                          goto out;
  4469                  usrparm.psf_data &= 0x7fffffffULL;
  4470                  usrparm.rssd_result &= 0x7fffffffULL;
  4471          }
  4472          /* alloc I/O data area */
  4473          psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
  			   				 | GFP_DMA);
  4474          rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
							       | GFP_DMA);
  4475          if (!psf_data || !rssd_result) {

kzalloc() returns a ZERO_SIZE_PTR (0x16).

  4476                  rc = -ENOMEM;
  4477                  goto out_free;
  4478          }
  4479
  4480          /* get syscall header from user space */
  4481          rc = -EFAULT;
  4482          if (copy_from_user(psf_data,
  4483                             (void __user *)(unsigned long)
  				   	 		 usrparm.psf_data,
  4484                             usrparm.psf_data_len))

That all works great.

  4485                  goto out_free;
  4486          psf0 = psf_data[0];
  4487          psf1 = psf_data[1];

But now we're assuming that "->psf_data_len" was at least 2 bytes.

Fix this by checking the user specified length psf_data_len.

Fixes: 52898025cf ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2019-01-28 15:43:17 +01:00
..
dasd_3990_erp.c s390/dasd: configurable IFCC handling 2018-02-22 15:31:23 +01:00
dasd_alias.c s390/dasd: fix gcc 8 stringop-truncation warning 2018-07-02 11:24:53 +02:00
dasd_devmap.c s390/dasd,zfcp: fix gcc 8 stringop-truncation warnings 2018-07-02 11:24:52 +02:00
dasd_diag.c s390/dasd: move dasd_ccw_req to per request data 2018-06-12 15:14:19 +02:00
dasd_diag.h
dasd_eckd.c s390/dasd: fix using offset into zero size array error 2019-01-28 15:43:17 +01:00
dasd_eckd.h
dasd_eer.c s390/dasd,zfcp: fix gcc 8 stringop-truncation warnings 2018-07-02 11:24:52 +02:00
dasd_erp.c
dasd_fba.c s390/dasd: move dasd_ccw_req to per request data 2018-06-12 15:14:19 +02:00
dasd_fba.h
dasd_genhd.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
dasd_int.h s390/dasd: reduce the default queue depth and nr of hardware queues 2018-07-02 11:22:41 +02:00
dasd_ioctl.c dasd: remove dead code 2018-11-07 13:42:32 -07:00
dasd_proc.c s390/drivers: fix proc/debugfs file permissions 2018-12-13 10:42:24 +01:00
dasd.c s390: convert to DEFINE_SHOW_ATTRIBUTE 2018-12-13 10:42:23 +01:00
dcssblk.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
Kconfig dax: introduce CONFIG_DAX_DRIVER 2018-04-03 05:41:19 -07:00
Makefile
scm_blk.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
scm_blk.h
scm_drv.c
xpram.c block: Use blk_queue_flag_*() in drivers instead of queue_flag_*() 2018-03-08 14:13:48 -07:00