Commit 0836275d authored by Denis Efremov's avatar Denis Efremov
Browse files

floppy: suppress UBSAN warning in setup_rw_floppy() 

UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45
index 16 is out of range for type 'unsigned char [16]'
Call Trace:
...
 setup_rw_floppy+0x5c3/0x7f0
 floppy_ready+0x2be/0x13b0
 process_one_work+0x2c1/0x5d0
 worker_thread+0x56/0x5e0
 kthread+0x122/0x170
 ret_from_fork+0x35/0x40

From include/uapi/linux/fd.h:
struct floppy_raw_cmd {
	...
	unsigned char cmd_count;
	unsigned char cmd[16];
	unsigned char reply_count;
	unsigned char reply[16];
	...
}

This out-of-bounds access is intentional. The command in struct
floppy_raw_cmd may take up the space initially intended for the reply
and the reply count. It is needed for long 82078 commands such as
RESTORE, which takes 17 command bytes. Initial cmd size is not enough
and since struct setup_rw_floppy is a part of uapi we check that
cmd_count is in [0:16+1+16] in raw_cmd_copyin().

The patch adds union with original cmd,reply_count,reply fields and
fullcmd field of equivalent size. The cmd accesses are turned to
fullcmd where appropriate to suppress UBSAN warning.

Link: https://lore.kernel.org/r/20200501134416.72248-5-efremov@linux.com


Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarDenis Efremov <efremov@linux.com>
parent bd10a5f3

drivers/block/floppy.c

+2 −2
Original line number Diff line number Diff line
@@ -1070,7 +1070,7 @@ static void setup_DMA(void) 
	if (raw_cmd->length == 0) {

		print_hex_dump(KERN_INFO, "zero dma transfer size: ",

			       DUMP_PREFIX_NONE, 16, 1,

			       raw_cmd->cmd, raw_cmd->cmd_count, false);

			       raw_cmd->fullcmd, raw_cmd->cmd_count, false);

		cont->done(0);

		fdc_state[current_fdc].reset = 1;

		return;
@@ -1515,7 +1515,7 @@ static void setup_rw_floppy(void) 


	r = 0;

	for (i = 0; i < raw_cmd->cmd_count; i++)

		r |= output_byte(current_fdc, raw_cmd->cmd[i]);

		r |= output_byte(current_fdc, raw_cmd->fullcmd[i]);



	debugt(__func__, "rw_command");

include/uapi/linux/fd.h

+8 −3
Original line number Diff line number Diff line
@@ -371,9 +371,14 @@ struct floppy_raw_cmd { 
	 */



	unsigned char cmd_count;

	union {

		struct {

			unsigned char cmd[FD_RAW_CMD_SIZE];

			unsigned char reply_count;

			unsigned char reply[FD_RAW_REPLY_SIZE];

		};

		unsigned char fullcmd[FD_RAW_CMD_FULLSIZE];

	};

	int track;

	int resultcode;

CRA Git | Maintained and supported by SUSTech CRA and CCSE