]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - queue-4.14/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
drop some duplicated patches that somehow got merged.
[thirdparty/kernel/stable-queue.git] / queue-4.14 / s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
1 From 69e36c94a6d9d92371695b0aa3f1097e42122eb5 Mon Sep 17 00:00:00 2001
2 From: Stefan Haberland <sth@linux.ibm.com>
3 Date: Wed, 21 Nov 2018 12:39:47 +0100
4 Subject: s390/dasd: fix using offset into zero size array error
5
6 [ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
7
8 Dan Carpenter reported the following:
9
10 The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
11 for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
12 checker warning:
13
14 drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
15 error: using offset into zero size array 'psf_data[]'
16
17 drivers/s390/block/dasd_eckd.c
18 4458 /* Copy parms from caller */
19 4459 rc = -EFAULT;
20 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
21 ^^^^^^^
22 The user can specify any "usrparm.psf_data_len". They choose zero by
23 mistake.
24
25 4461 goto out;
26 4462 if (is_compat_task()) {
27 4463 /* Make sure pointers are sane even on 31 bit. */
28 4464 rc = -EINVAL;
29 4465 if ((usrparm.psf_data >> 32) != 0)
30 4466 goto out;
31 4467 if ((usrparm.rssd_result >> 32) != 0)
32 4468 goto out;
33 4469 usrparm.psf_data &= 0x7fffffffULL;
34 4470 usrparm.rssd_result &= 0x7fffffffULL;
35 4471 }
36 4472 /* alloc I/O data area */
37 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
38 | GFP_DMA);
39 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
40 | GFP_DMA);
41 4475 if (!psf_data || !rssd_result) {
42
43 kzalloc() returns a ZERO_SIZE_PTR (0x16).
44
45 4476 rc = -ENOMEM;
46 4477 goto out_free;
47 4478 }
48 4479
49 4480 /* get syscall header from user space */
50 4481 rc = -EFAULT;
51 4482 if (copy_from_user(psf_data,
52 4483 (void __user *)(unsigned long)
53 usrparm.psf_data,
54 4484 usrparm.psf_data_len))
55
56 That all works great.
57
58 4485 goto out_free;
59 4486 psf0 = psf_data[0];
60 4487 psf1 = psf_data[1];
61
62 But now we're assuming that "->psf_data_len" was at least 2 bytes.
63
64 Fix this by checking the user specified length psf_data_len.
65
66 Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
67 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
68 Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
69 Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
70 Signed-off-by: Sasha Levin <sashal@kernel.org>
71 ---
72 drivers/s390/block/dasd_eckd.c | 8 ++++++++
73 1 file changed, 8 insertions(+)
74
75 diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
76 index 4c7c8455da96..0a1e7f9b5239 100644
77 --- a/drivers/s390/block/dasd_eckd.c
78 +++ b/drivers/s390/block/dasd_eckd.c
79 @@ -4463,6 +4463,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
80 usrparm.psf_data &= 0x7fffffffULL;
81 usrparm.rssd_result &= 0x7fffffffULL;
82 }
83 + /* at least 2 bytes are accessed and should be allocated */
84 + if (usrparm.psf_data_len < 2) {
85 + DBF_DEV_EVENT(DBF_WARNING, device,
86 + "Symmetrix ioctl invalid data length %d",
87 + usrparm.psf_data_len);
88 + rc = -EINVAL;
89 + goto out;
90 + }
91 /* alloc I/O data area */
92 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
93 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
94 --
95 2.19.1
96
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git