OpenCloudOS-Kernel/include
Denis Efremov 0836275df4 floppy: suppress UBSAN warning in setup_rw_floppy()
UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45
index 16 is out of range for type 'unsigned char [16]'
Call Trace:
...
 setup_rw_floppy+0x5c3/0x7f0
 floppy_ready+0x2be/0x13b0
 process_one_work+0x2c1/0x5d0
 worker_thread+0x56/0x5e0
 kthread+0x122/0x170
 ret_from_fork+0x35/0x40

From include/uapi/linux/fd.h:
struct floppy_raw_cmd {
	...
	unsigned char cmd_count;
	unsigned char cmd[16];
	unsigned char reply_count;
	unsigned char reply[16];
	...
}

This out-of-bounds access is intentional. The command in struct
floppy_raw_cmd may take up the space initially intended for the reply
and the reply count. It is needed for long 82078 commands such as
RESTORE, which takes 17 command bytes. Initial cmd size is not enough
and since struct setup_rw_floppy is a part of uapi we check that
cmd_count is in [0:16+1+16] in raw_cmd_copyin().

The patch adds union with original cmd,reply_count,reply fields and
fullcmd field of equivalent size. The cmd accesses are turned to
fullcmd where appropriate to suppress UBSAN warning.

Link: https://lore.kernel.org/r/20200501134416.72248-5-efremov@linux.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Denis Efremov <efremov@linux.com>
2020-05-12 19:34:57 +03:00
..
acpi Additional ACPI updates for 5.7-rc1 2020-04-06 10:35:06 -07:00
asm-generic hyperv-fixes for 5.7-rc1 2020-04-14 11:58:04 -07:00
clocksource pwm: omap-dmtimer: Drop unused header file 2020-03-30 18:03:06 +02:00
crypto crypto: curve25519 - do not pollute dispatcher based on assembler 2020-04-09 00:01:59 +09:00
drm drm/bridge: analogix_dp: Split bind() into probe() and real bind() 2020-04-09 10:29:35 +02:00
dt-bindings RISC-V Patches for the 5.7 Merge Window, Part 1 2020-04-09 10:51:30 -07:00
keys KEYS: Don't write out to userspace while holding key semaphore 2020-03-29 12:40:41 +01:00
kunit kunit: subtests should be indented 4 spaces according to TAP 2020-03-26 14:08:41 -06:00
kvm KVM: arm64: GICv4.1: Allow SGIs to switch between HW and SW interrupts 2020-03-24 12:15:51 +00:00
linux nvme: define constants for identification values 2020-05-09 16:18:36 -06:00
math-emu
media media: cec-notifier: make cec_notifier_get_conn() static 2020-03-20 09:02:45 +01:00
misc
net cfg80211: fix kernel-doc notation 2020-04-14 12:40:02 +02:00
pcmcia
ras
rdma IB/mlx5: Expose UAR object and its alloc/destroy commands 2020-03-27 12:59:04 -03:00
scsi block: move dma_pad handling from blk_rq_map_sg into the callers 2020-04-22 10:47:39 -06:00
soc net: mscc: ocelot: fix untagged packet drops when enslaving to vlan aware bridge 2020-04-15 12:27:35 -07:00
sound ALSA: hda: Skip controller resume if not needed 2020-04-13 18:03:16 +02:00
target scsi: target: fix hang when multiple threads try to destroy the same iscsi session 2020-03-26 21:47:47 -04:00
trace bdi: use bdi_dev_name() to get device name 2020-05-09 16:07:39 -06:00
uapi floppy: suppress UBSAN warning in setup_rw_floppy() 2020-05-12 19:34:57 +03:00
vdso vdso: Fix clocksource.h macro detection 2020-03-23 18:51:08 +01:00
video
xen xen: Use evtchn_type_t as a type for event channels 2020-04-07 12:12:54 +02:00