|
Takashi Iwai |
ebaab3 |
From 545a32498c536ee152331cd2e7d2416aa0f20e01 Mon Sep 17 00:00:00 2001
|
|
Takashi Iwai |
ebaab3 |
From: Xiongwei Song <sxwjean@gmail.com>
|
|
Takashi Iwai |
ebaab3 |
Date: Tue, 16 Nov 2021 21:10:33 +0800
|
|
Takashi Iwai |
ebaab3 |
Subject: [PATCH] floppy: Add max size check for user space request
|
|
Takashi Iwai |
ebaab3 |
Git-commit: 545a32498c536ee152331cd2e7d2416aa0f20e01
|
|
Takashi Iwai |
ebaab3 |
Patch-mainline: v5.17-rc1
|
|
Takashi Iwai |
ebaab3 |
References: git-fixes
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
We need to check the max request size that is from user space before
|
|
Takashi Iwai |
ebaab3 |
allocating pages. If the request size exceeds the limit, return -EINVAL.
|
|
Takashi Iwai |
ebaab3 |
This check can avoid the warning below from page allocator.
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
Warning: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
|
|
Takashi Iwai |
ebaab3 |
Warning: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
|
|
Takashi Iwai |
ebaab3 |
Modules linked in:
|
|
Takashi Iwai |
ebaab3 |
Cpu: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
|
|
Takashi Iwai |
ebaab3 |
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
|
|
Takashi Iwai |
ebaab3 |
Rip: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
|
|
Takashi Iwai |
ebaab3 |
Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
|
|
Takashi Iwai |
ebaab3 |
Rsp: 0018:ffffc90023b87850 EFLAGS: 00010246
|
|
Takashi Iwai |
ebaab3 |
Rax: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000
|
|
Takashi Iwai |
ebaab3 |
Rdx: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1
|
|
Takashi Iwai |
ebaab3 |
Rbp: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
|
|
Takashi Iwai |
ebaab3 |
R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960
|
|
Takashi Iwai |
ebaab3 |
R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30
|
|
Takashi Iwai |
ebaab3 |
Fs: 0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40
|
|
Takashi Iwai |
ebaab3 |
Cs: 0010 DS: 002b ES: 002b CR0: 0000000080050033
|
|
Takashi Iwai |
ebaab3 |
Cr2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0
|
|
Takashi Iwai |
ebaab3 |
Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
|
|
Takashi Iwai |
ebaab3 |
Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
|
|
Takashi Iwai |
ebaab3 |
Call Trace:
|
|
Takashi Iwai |
ebaab3 |
<TASK>
|
|
Takashi Iwai |
ebaab3 |
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
|
|
Takashi Iwai |
ebaab3 |
__get_free_pages+0x8/0x40 mm/page_alloc.c:5418
|
|
Takashi Iwai |
ebaab3 |
raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
|
|
Takashi Iwai |
ebaab3 |
raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
|
|
Takashi Iwai |
ebaab3 |
fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
|
|
Takashi Iwai |
ebaab3 |
fd_ioctl drivers/block/floppy.c:3555 [inline]
|
|
Takashi Iwai |
ebaab3 |
fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
|
|
Takashi Iwai |
ebaab3 |
compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
|
|
Takashi Iwai |
ebaab3 |
__do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
|
|
Takashi Iwai |
ebaab3 |
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
|
|
Takashi Iwai |
ebaab3 |
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
|
|
Takashi Iwai |
ebaab3 |
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
|
|
Takashi Iwai |
ebaab3 |
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com
|
|
Takashi Iwai |
ebaab3 |
Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com
|
|
Takashi Iwai |
ebaab3 |
Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
|
|
Takashi Iwai |
ebaab3 |
Signed-off-by: Denis Efremov <efremov@linux.com>
|
|
Takashi Iwai |
ebaab3 |
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
Takashi Iwai |
ebaab3 |
Acked-by: Takashi Iwai <tiwai@suse.de>
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
---
|
|
Takashi Iwai |
ebaab3 |
drivers/block/floppy.c | 4 +++-
|
|
Takashi Iwai |
ebaab3 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
|
Takashi Iwai |
ebaab3 |
index f0e36c18f349..e611411a934c 100644
|
|
Takashi Iwai |
ebaab3 |
--- a/drivers/block/floppy.c
|
|
Takashi Iwai |
ebaab3 |
+++ b/drivers/block/floppy.c
|
|
Takashi Iwai |
ebaab3 |
@@ -3081,6 +3081,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
|
|
Takashi Iwai |
ebaab3 |
}
|
|
Takashi Iwai |
ebaab3 |
}
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
+#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
|
|
Takashi Iwai |
ebaab3 |
+
|
|
Takashi Iwai |
ebaab3 |
static int raw_cmd_copyin(int cmd, void __user *param,
|
|
Takashi Iwai |
ebaab3 |
struct floppy_raw_cmd **rcmd)
|
|
Takashi Iwai |
ebaab3 |
{
|
|
Takashi Iwai |
ebaab3 |
@@ -3108,7 +3110,7 @@ static int raw_cmd_copyin(int cmd, void __user *param,
|
|
Takashi Iwai |
ebaab3 |
ptr->resultcode = 0;
|
|
Takashi Iwai |
ebaab3 |
|
|
Takashi Iwai |
ebaab3 |
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
|
|
Takashi Iwai |
ebaab3 |
- if (ptr->length <= 0)
|
|
Takashi Iwai |
ebaab3 |
+ if (ptr->length <= 0 || ptr->length >= MAX_LEN)
|
|
Takashi Iwai |
ebaab3 |
return -EINVAL;
|
|
Takashi Iwai |
ebaab3 |
ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
|
|
Takashi Iwai |
ebaab3 |
fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
|
|
Takashi Iwai |
ebaab3 |
--
|
|
Takashi Iwai |
ebaab3 |
2.31.1
|
|
Takashi Iwai |
ebaab3 |
|