linux/drivers/block
Denis Efremov 9b04609b78 floppy: fix invalid pointer dereference in drive_name
This fixes the invalid pointer dereference in the drive_name function of
the floppy driver.

The native_format field of the struct floppy_drive_params is used as
floppy_type array index in the drive_name function.  Thus, the field
should be checked the same way as the autodetect field.

To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl.  Next, FDGETDRVTYP ioctl should
be used to call the drive_name.  A floppy disk is not required to be
inserted.

CAP_SYS_ADMIN is required to call FDSETDRVPRM.

The patch adds the check for a value of the native_format field to be in
the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
indices.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:50 -07:00
..
aoe block: aoe: no need to check return value of debugfs_create functions 2019-06-04 13:38:23 -06:00
drbd treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 91 2019-05-24 17:37:53 +02:00
mtip32xx mtip32xx: also set max_segment_size in the device 2019-06-05 13:18:39 -06:00
paride Linux 5.1-rc6 2019-04-22 09:47:36 -06:00
rsxx rsxx: don't call dma_set_max_seg_size 2019-06-05 13:18:39 -06:00
xen-blkback treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
zram treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
amiflop.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ataflop.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
brd.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
cryptoloop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 30 2019-05-24 17:27:10 +02:00
floppy.c floppy: fix invalid pointer dereference in drive_name 2019-07-17 14:45:50 -07:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
loop.c loop: Don't change loop device under exclusive opener 2019-05-27 07:34:04 -06:00
loop.h block/loop: Use global lock for ioctl() operation. 2018-11-08 06:30:11 -07:00
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
nbd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 127 2019-05-30 11:25:13 -07:00
null_blk_main.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
null_blk_zoned.c null_blk: remove duplicate check for report zone 2019-06-13 03:00:30 -06:00
null_blk.h null_blk: add zoned config support information 2019-01-06 10:58:27 -07:00
pktcdvd.c block: genhd: remove async_events field 2019-04-12 13:35:22 -06:00
ps3disk.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 164 2019-05-30 11:26:38 -07:00
ps3vram.c block/ps3vram: Use %llu to format sector_t after LBDAF removal 2019-06-13 03:17:50 -06:00
rbd_types.h rbd: RBD_V{1,2}_DATA_FORMAT macros 2017-02-20 12:16:15 +01:00
rbd.c rbd: don't assert on writes to snapshots 2019-05-07 19:43:04 +02:00
skd_main.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 2019-06-19 17:09:53 +02:00
skd_s1120.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 2019-06-19 17:09:53 +02:00
sunvdc.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
swim3.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim_asm.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sx8.c sx8: use a per-host tag_set 2018-11-09 08:14:14 -07:00
umem.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 349 2019-06-05 17:37:08 +02:00
umem.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 348 2019-06-05 17:37:08 +02:00
virtio_blk.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xen-blkfront.c xen-blkfront: switch kcalloc to kvcalloc for large array allocation 2019-06-03 22:16:19 -04:00
xsysace.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
z2ram.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00