Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-06-24 09:36:42 +0200
committerPetr Tesarik <ptesarik@suse.cz>2019-06-24 09:36:53 +0200
commit6fab6292dd83651b199e29937da8006a717d28e8 (patch)
tree8067d8464fb333ef61f9d1e468026afa21c23540
parenta759aeae9e8f32fba498f5fcf93b53c5b4b2c5e0 (diff)
s390/dasd: fix using offset into zero size array error
(bsc#1051510).
-rw-r--r--patches.fixes/s390-dasd-fix-using-offset-into-zero-size-array-error91
-rw-r--r--series.conf1
2 files changed, 92 insertions, 0 deletions
diff --git a/patches.fixes/s390-dasd-fix-using-offset-into-zero-size-array-error b/patches.fixes/s390-dasd-fix-using-offset-into-zero-size-array-error
new file mode 100644
index 0000000000..1e59cbbdd7
--- /dev/null
+++ b/patches.fixes/s390-dasd-fix-using-offset-into-zero-size-array-error
@@ -0,0 +1,91 @@
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 21 Nov 2018 12:39:47 +0100
+Subject: s390/dasd: fix using offset into zero size array error
+Git-commit: 4a8ef6999bce998fa5813023a9a6b56eea329dba
+Patch-mainline: v5.0-rc7
+References: bsc#1051510
+
+Dan Carpenter reported the following:
+
+The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
+for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
+checker warning:
+
+ drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
+ error: using offset into zero size array 'psf_data[]'
+
+drivers/s390/block/dasd_eckd.c
+ 4458 /* Copy parms from caller */
+ 4459 rc = -EFAULT;
+ 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
+ ^^^^^^^
+The user can specify any "usrparm.psf_data_len". They choose zero by
+mistake.
+
+ 4461 goto out;
+ 4462 if (is_compat_task()) {
+ 4463 /* Make sure pointers are sane even on 31 bit. */
+ 4464 rc = -EINVAL;
+ 4465 if ((usrparm.psf_data >> 32) != 0)
+ 4466 goto out;
+ 4467 if ((usrparm.rssd_result >> 32) != 0)
+ 4468 goto out;
+ 4469 usrparm.psf_data &= 0x7fffffffULL;
+ 4470 usrparm.rssd_result &= 0x7fffffffULL;
+ 4471 }
+ 4472 /* alloc I/O data area */
+ 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
+ | GFP_DMA);
+ 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
+ | GFP_DMA);
+ 4475 if (!psf_data || !rssd_result) {
+
+kzalloc() returns a ZERO_SIZE_PTR (0x16).
+
+ 4476 rc = -ENOMEM;
+ 4477 goto out_free;
+ 4478 }
+ 4479
+ 4480 /* get syscall header from user space */
+ 4481 rc = -EFAULT;
+ 4482 if (copy_from_user(psf_data,
+ 4483 (void __user *)(unsigned long)
+ usrparm.psf_data,
+ 4484 usrparm.psf_data_len))
+
+That all works great.
+
+ 4485 goto out_free;
+ 4486 psf0 = psf_data[0];
+ 4487 psf1 = psf_data[1];
+
+But now we're assuming that "->psf_data_len" was at least 2 bytes.
+
+Fix this by checking the user specified length psf_data_len.
+
+Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ drivers/s390/block/dasd_eckd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -4522,6 +4522,14 @@ static int dasd_symm_io(struct dasd_devi
+ usrparm.psf_data &= 0x7fffffffULL;
+ usrparm.rssd_result &= 0x7fffffffULL;
+ }
++ /* at least 2 bytes are accessed and should be allocated */
++ if (usrparm.psf_data_len < 2) {
++ DBF_DEV_EVENT(DBF_WARNING, device,
++ "Symmetrix ioctl invalid data length %d",
++ usrparm.psf_data_len);
++ rc = -EINVAL;
++ goto out;
++ }
+ /* alloc I/O data area */
+ psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
+ rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
diff --git a/series.conf b/series.conf
index 5c5a21d1f6..fb4e74918a 100644
--- a/series.conf
+++ b/series.conf
@@ -21280,6 +21280,7 @@
patches.drivers/dmaengine-bcm2835-Fix-interrupt-race-on-RT.patch
patches.drivers/dmaengine-bcm2835-Fix-abort-of-transactions.patch
patches.drivers/dmaengine-dmatest-Abort-test-in-case-of-mapping-erro.patch
+ patches.fixes/s390-dasd-fix-using-offset-into-zero-size-array-error
patches.arch/s390-sles15-zcrypt-fix-specification-exception.patch
patches.drivers/ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch
patches.drivers/ALSA-usb-audio-Fix-implicit-fb-endpoint-setup-by-qui.patch