]>
Commit | Line | Data |
---|---|---|
d6083431 SL |
1 | From e69b39e45b660201ab047f34a6c9eac2ff025bd3 Mon Sep 17 00:00:00 2001 |
2 | From: Stefan Haberland <sth@linux.ibm.com> | |
3 | Date: Wed, 21 Nov 2018 12:39:47 +0100 | |
4 | Subject: s390/dasd: fix using offset into zero size array error | |
5 | ||
6 | [ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] | |
7 | ||
8 | Dan Carpenter reported the following: | |
9 | ||
10 | The patch 52898025cf7d: "[S390] dasd: security and PSF update patch | |
11 | for EMC CKD ioctl" from Mar 8, 2010, leads to the following static | |
12 | checker warning: | |
13 | ||
14 | drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() | |
15 | error: using offset into zero size array 'psf_data[]' | |
16 | ||
17 | drivers/s390/block/dasd_eckd.c | |
18 | 4458 /* Copy parms from caller */ | |
19 | 4459 rc = -EFAULT; | |
20 | 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) | |
21 | ^^^^^^^ | |
22 | The user can specify any "usrparm.psf_data_len". They choose zero by | |
23 | mistake. | |
24 | ||
25 | 4461 goto out; | |
26 | 4462 if (is_compat_task()) { | |
27 | 4463 /* Make sure pointers are sane even on 31 bit. */ | |
28 | 4464 rc = -EINVAL; | |
29 | 4465 if ((usrparm.psf_data >> 32) != 0) | |
30 | 4466 goto out; | |
31 | 4467 if ((usrparm.rssd_result >> 32) != 0) | |
32 | 4468 goto out; | |
33 | 4469 usrparm.psf_data &= 0x7fffffffULL; | |
34 | 4470 usrparm.rssd_result &= 0x7fffffffULL; | |
35 | 4471 } | |
36 | 4472 /* alloc I/O data area */ | |
37 | 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | |
38 | | GFP_DMA); | |
39 | 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | |
40 | | GFP_DMA); | |
41 | 4475 if (!psf_data || !rssd_result) { | |
42 | ||
43 | kzalloc() returns a ZERO_SIZE_PTR (0x16). | |
44 | ||
45 | 4476 rc = -ENOMEM; | |
46 | 4477 goto out_free; | |
47 | 4478 } | |
48 | 4479 | |
49 | 4480 /* get syscall header from user space */ | |
50 | 4481 rc = -EFAULT; | |
51 | 4482 if (copy_from_user(psf_data, | |
52 | 4483 (void __user *)(unsigned long) | |
53 | usrparm.psf_data, | |
54 | 4484 usrparm.psf_data_len)) | |
55 | ||
56 | That all works great. | |
57 | ||
58 | 4485 goto out_free; | |
59 | 4486 psf0 = psf_data[0]; | |
60 | 4487 psf1 = psf_data[1]; | |
61 | ||
62 | But now we're assuming that "->psf_data_len" was at least 2 bytes. | |
63 | ||
64 | Fix this by checking the user specified length psf_data_len. | |
65 | ||
66 | Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") | |
67 | Reported-by: Dan Carpenter <dan.carpenter@oracle.com> | |
68 | Signed-off-by: Stefan Haberland <sth@linux.ibm.com> | |
69 | Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> | |
70 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
71 | --- | |
72 | drivers/s390/block/dasd_eckd.c | 8 ++++++++ | |
73 | 1 file changed, 8 insertions(+) | |
74 | ||
75 | diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c | |
76 | index dac2f6883e28..80a43074c2f9 100644 | |
77 | --- a/drivers/s390/block/dasd_eckd.c | |
78 | +++ b/drivers/s390/block/dasd_eckd.c | |
79 | @@ -4023,6 +4023,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) | |
80 | usrparm.psf_data &= 0x7fffffffULL; | |
81 | usrparm.rssd_result &= 0x7fffffffULL; | |
82 | } | |
83 | + /* at least 2 bytes are accessed and should be allocated */ | |
84 | + if (usrparm.psf_data_len < 2) { | |
85 | + DBF_DEV_EVENT(DBF_WARNING, device, | |
86 | + "Symmetrix ioctl invalid data length %d", | |
87 | + usrparm.psf_data_len); | |
88 | + rc = -EINVAL; | |
89 | + goto out; | |
90 | + } | |
91 | /* alloc I/O data area */ | |
92 | psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); | |
93 | rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); | |
94 | -- | |
95 | 2.19.1 | |
96 |