shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-02 03:03:00 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
ddd64dd8954a2ca96cda8ab8e80fb08026adcbc8
linux/drivers
History
Denis Efremov ddd64dd895 floppy: fix out-of-bounds read in copy_buffer 
[ Upstream commit da99466ac2 ]

This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-05-15 14:02:36 +09:00
..
accessibility
acpi
x86/cpu: Sanitize FAM6_ATOM naming
2023-05-15 12:46:28 +09:00
amba
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
2018-05-01 15:13:08 -07:00
amlogic
tee: disable by default
2023-05-12 16:27:16 +09:00
android
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
ata
libata: don't request sense data on !ZAC ATA devices
2023-05-15 14:01:13 +09:00
atm
atm: he: fix sign-extension overflow on large shift
2023-05-15 11:44:23 +09:00
auxdisplay
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
2018-02-13 12:35:55 +01:00
base
regmap: fix bulk writes on paged registers
2023-05-15 14:00:40 +09:00
bcma
block
floppy: fix out-of-bounds read in copy_buffer
2023-05-15 14:02:36 +09:00
bluetooth
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
2023-05-15 14:01:33 +09:00
bus
bus: arm-cci: remove unnecessary unreachable()
2023-05-15 10:05:32 +09:00
cdrom
cdrom: Fix race condition in cdrom_sysctl_register
2023-05-15 12:17:16 +09:00
char
virtio_console: initialize vtermno value for ports
2023-05-15 13:36:01 +09:00
clk
clk: sunxi: fix uninitialized access
2023-05-15 13:57:04 +09:00
clocksource
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
2023-05-15 14:01:14 +09:00
connector
cpufreq
cpufreq: pmac32: fix possible object reference leak
2023-05-15 13:35:19 +09:00
cpuidle
cpuidle: big.LITTLE: fix refcount leak
2023-05-15 11:22:49 +09:00
crypto
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
2023-05-15 14:01:54 +09:00
dax
device-dax: implement ->split() to catch invalid munmap attempts
2018-02-28 10:18:33 +01:00
dca
devfreq
PM / devfreq: Fix potential NULL pointer dereference in governor_store
2018-04-13 19:48:09 +02:00
dio
dma
dmaengine: imx-sdma: fix use-after-free on probe error path
2023-05-15 13:59:26 +09:00
dma-buf
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
edac
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
2023-05-15 14:01:26 +09:00
eisa
extcon
extcon: arizona: Disable mic detect if running when driver is removed
2023-05-15 13:35:13 +09:00
firewire
firewire-ohci: work around oversized DMA reads on JMicron controllers
2018-05-30 07:50:18 +02:00
firmware
efi/libstub: Unify command line param parsing
2023-05-15 13:40:43 +09:00
fmc
fpga
gpio
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
2023-05-15 14:01:32 +09:00
gpu
drm/nouveau/i2c: Enable i2c pads & busses during preinit
2023-05-15 14:02:17 +09:00
hardkernel
ODROID-G12: Make hid-multitouch and dwav-usb-mt driver as mouldes.
2022-03-15 09:20:56 +09:00
hid
HID: core: move Usage Page concatenation to Main item
2023-05-15 13:35:51 +09:00
hsi
HSI: ssi_protocol: double free in ssip_pn_xmit()
2018-03-24 11:00:12 +01:00
hv
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
2023-05-15 10:45:29 +09:00
hwmon
hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
2023-05-15 13:55:14 +09:00
hwspinlock
hwtracing
intel_th: msu: Fix single mode with IOMMU
2023-05-15 12:52:30 +09:00
i2c
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
2023-05-15 13:49:54 +09:00
ide
ide: pmac: add of_node_put()
2023-05-15 10:39:04 +09:00
idle
x86/cpu: Sanitize FAM6_ATOM naming
2023-05-15 12:46:28 +09:00
iio
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
2023-05-15 13:35:27 +09:00
infiniband
ipoib: correcly show a VF hardware address
2023-05-15 14:00:51 +09:00
input
Input: gtco - bounds check collection indent level
2023-05-15 14:01:56 +09:00
iommu
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
2023-05-15 13:47:46 +09:00
ipack
irqchip
Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
2023-05-15 13:41:02 +09:00
isdn
mISDN: make sure device name is NUL terminated
2023-05-15 13:49:45 +09:00
leds
leds: pca9532: fix a potential NULL pointer dereference
2023-05-15 12:37:28 +09:00
lguest
lightnvm
macintosh
macintosh/rack-meter: Convert cputime64_t use to u64
2023-05-15 09:10:25 +09:00
mailbox
mailbox: xgene-slimpro: Fix potential NULL pointer dereference
2023-05-12 17:22:44 +09:00
mcb
MCB: add support for SC31 to mcb-lpc
2017-09-09 17:39:41 +02:00
md
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
2023-05-15 14:01:27 +09:00
media
media: coda: Remove unbalanced and unneeded mutex unlock
2023-05-15 14:02:11 +09:00
memory
memory: tegra: Fix integer overflow on tick value calculation
2023-05-15 12:52:51 +09:00
memstick
memstick: Prevent memstick host from getting runtime suspended during card detection
2023-05-15 11:22:55 +09:00
message
Merge 4.9.103 into android-4.9
2018-05-25 17:06:35 +02:00
mfd
mfd: omap-usb-tll: Fix register offsets
2023-05-15 13:56:57 +09:00
misc
VMCI: Fix integer overflow in VMCI handle arrays
2023-05-15 13:58:47 +09:00
mmc
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
2023-05-15 13:35:09 +09:00
mtd
mtd: rawnand: gpmi: fix MX28 bus master lockup problem
2023-05-15 11:30:03 +09:00
net
iwlwifi: pcie: don't service an interrupt that was masked
2023-05-15 14:02:00 +09:00
nfc
spi: ST ST95HF NFC: declare missing of table
2023-05-15 12:50:06 +09:00
ntb
ntb_transport: Fix bug with max_mw_size parameter
2018-05-30 07:50:22 +02:00
nubus
nvdimm
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
2023-05-15 14:02:25 +09:00
nvme
nvme: Fix u32 overflow in the number of namespace list calculation
2023-05-15 13:55:16 +09:00
nvmem
nvmem: core: fix read buffer in place
2023-05-15 13:47:50 +09:00
of
of: add helper to lookup compatible child node
2023-05-15 09:58:01 +09:00
oprofile
parisc
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
2023-05-15 13:40:57 +09:00
parport
parport: Fix mem leak in parport_register_dev_model
2023-05-15 13:54:47 +09:00
pci
PCI: Do not poll for PME if the device is in D3cold
2023-05-15 14:02:22 +09:00
pcmcia
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
2023-05-15 09:18:55 +09:00
perf
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
phy
phy: tegra: remove redundant self assignment of 'map'
2023-05-15 11:45:19 +09:00
pinctrl
pinctrl: pistachio: fix leaked of_node references
2023-05-15 13:34:23 +09:00
platform
platform/x86: intel_pmc_ipc: adding error handling
2023-05-15 13:48:11 +09:00
pnp
power
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
2023-05-15 12:53:32 +09:00
powercap
x86/cpu: Sanitize FAM6_ATOM naming
2023-05-15 12:46:28 +09:00
pps
ps3
ptp
ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
2023-05-15 11:22:20 +09:00
pwm
pwm: Fix deadlock warning when removing PWM device
2023-05-15 13:48:28 +09:00
rapidio
rapidio: fix a NULL pointer dereference when create_workqueue() fails
2023-05-15 13:47:01 +09:00
ras
regulator
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
2023-05-15 14:01:57 +09:00
remoteproc
reset
reset: make device_reset_optional() really optional
2023-05-15 10:06:13 +09:00
rpmsg
rpmsg: smd: fix memory leak on channel create
2023-05-15 09:23:11 +09:00
rtc
rtc: pcf8523: don't return invalid date when battery is low
2023-05-15 13:49:26 +09:00
s390
s390/qdio: handle PENDING state for QEBSM devices
2023-05-15 14:00:32 +09:00
sbus
drivers/sbus/char: add of_node_put()
2023-05-15 10:37:00 +09:00
scsi
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
2023-05-15 14:01:47 +09:00
sfi
sh
sn
soc
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
2023-05-15 13:48:00 +09:00
spi
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
2023-05-15 13:56:40 +09:00
spmi
spmi: Include OF based modalias in device uevent
2017-07-27 15:08:08 -07:00
ssb
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
2023-05-15 12:59:29 +09:00
staging
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
2023-05-15 13:59:54 +09:00
target
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
2023-05-15 12:05:59 +09:00
tc
TC: Set DMA masks for devices
2023-05-15 09:23:01 +09:00
tee
Amlogic: sync the code from mainline. [1/1]
2020-02-04 13:48:58 +09:00
thermal
drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
2023-05-15 13:47:20 +09:00
thunderbolt
thunderbolt: Resume control channel after hibernation image is created
2018-04-24 09:34:12 +02:00
tty
Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled"
2023-05-15 13:58:38 +09:00
uio
uio: Fix an Oops on load
2023-05-15 09:51:46 +09:00
usb
usb: renesas_usbhs: add a workaround for a race condition of workqueue
2023-05-15 13:58:42 +09:00
uwb
uwb: hwa-rc: fix memory leak at probe
2023-05-15 08:28:33 +09:00
vfio
vfio/pci: use correct format characters
2023-05-15 12:38:46 +09:00
vhost
vhost_net: disable zerocopy by default
2023-05-15 14:00:50 +09:00
video
video: imsttfb: fix potential NULL pointer dereferences
2023-05-15 13:48:17 +09:00
virt
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
2023-05-15 12:50:46 +09:00
virtio
virtio: Honour 'may_reduce_num' in vring_create_virtqueue
2023-05-15 12:22:45 +09:00
vlynq
vme
w1
w1: fix the resume command API
2023-05-15 13:00:07 +09:00
watchdog
watchdog: fix compile time error of pretimeout governors
2023-05-15 13:47:45 +09:00
xen
xen: let alloc_xenballooned_pages() fail if not enough memory free
2023-05-15 14:01:42 +09:00
zorro
zorro: Set up z->dev.dma_mask for the DMA API
2018-05-30 07:50:44 +02:00
Kconfig
ODROID: sysfs: Add poweroff_trigger sysfs node.
2019-12-11 18:21:09 +09:00
Makefile
ODROID: sysfs: Add poweroff_trigger sysfs node.
2019-12-11 18:21:09 +09:00