Justin Stitt 9fad9d560a scsi: sr: Fix unintentional arithmetic wraparound
Running syzkaller with the newly reintroduced signed integer overflow
sanitizer produces this report:

[   65.194362] ------------[ cut here ]------------
[   65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9
[   65.203607] -2147483648 * 177 cannot be represented in type 'int'
[   65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   65.219923] Call Trace:
[   65.221556]  <TASK>
[   65.223029]  dump_stack_lvl+0x93/0xd0
[   65.225573]  handle_overflow+0x171/0x1b0
[   65.228219]  sr_select_speed+0xeb/0xf0
[   65.230786]  ? __pm_runtime_resume+0xe6/0x130
[   65.233606]  sr_block_ioctl+0x15d/0x1d0
...

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the kernel
with Commit 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer").

Firstly, let's change the type of "speed" to unsigned long as
sr_select_speed()'s only caller passes in an unsigned long anyways.

$ git grep '\.select_speed'
|	drivers/scsi/sr.c:      .select_speed           = sr_select_speed,
...
|	static int cdrom_ioctl_select_speed(struct cdrom_device_info *cdi,
|	                unsigned long arg)
|	{
|	        ...
|	        return cdi->ops->select_speed(cdi, arg);
|	}

Next, let's add an extra check to make sure we don't exceed 0xffff/177
(350) since 0xffff is the max speed. This has two benefits: 1) we deal
with integer overflow before it happens and 2) we properly respect the
max speed of 0xffff. There are some "magic" numbers here but I did not
want to change more than what was necessary.

Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/357
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240508-b4-b4-sio-sr_select_speed-v2-1-00b68f724290@google.com
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2024-05-15 10:05:24 -04:00

323 lines
8.9 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
/*
* -- <linux/cdrom.h>
* General header file for linux CD-ROM drivers
* Copyright (C) 1992 David Giller, rafetmad@oxy.edu
* 1994, 1995 Eberhard Mönkeberg, emoenke@gwdg.de
* 1996 David van Leeuwen, david@tm.tno.nl
* 1997, 1998 Erik Andersen, andersee@debian.org
* 1998-2002 Jens Axboe, axboe@suse.de
*/
#ifndef _LINUX_CDROM_H
#define _LINUX_CDROM_H
#include <linux/fs.h> /* not really needed, later.. */
#include <linux/list.h>
#include <linux/blkdev.h>
#include <scsi/scsi_common.h>
#include <uapi/linux/cdrom.h>
struct packet_command
{
unsigned char cmd[CDROM_PACKET_SIZE];
unsigned char *buffer;
unsigned int buflen;
int stat;
struct scsi_sense_hdr *sshdr;
unsigned char data_direction;
int quiet;
int timeout;
void *reserved[1];
};
/*
* _OLD will use PIO transfer on atapi devices, _BPC_* will use DMA
*/
#define CDDA_OLD 0 /* old style */
#define CDDA_BPC_SINGLE 1 /* single frame block pc */
#define CDDA_BPC_FULL 2 /* multi frame block pc */
/* Uniform cdrom data structures for cdrom.c */
struct cdrom_device_info {
const struct cdrom_device_ops *ops; /* link to device_ops */
struct list_head list; /* linked list of all device_info */
struct gendisk *disk; /* matching block layer disk */
void *handle; /* driver-dependent data */
/* specifications */
int mask; /* mask of capability: disables them */
int speed; /* maximum speed for reading data */
int capacity; /* number of discs in jukebox */
/* device-related storage */
unsigned int options : 30; /* options flags */
unsigned mc_flags : 2; /* media change buffer flags */
unsigned int vfs_events; /* cached events for vfs path */
unsigned int ioctl_events; /* cached events for ioctl path */
int use_count; /* number of times device opened */
char name[20]; /* name of the device type */
/* per-device flags */
__u8 sanyo_slot : 2; /* Sanyo 3 CD changer support */
__u8 keeplocked : 1; /* CDROM_LOCKDOOR status */
__u8 reserved : 5; /* not used yet */
int cdda_method; /* see flags */
__u8 last_sense;
__u8 media_written; /* dirty flag, DVD+RW bookkeeping */
unsigned short mmc3_profile; /* current MMC3 profile */
int (*exit)(struct cdrom_device_info *);
int mrw_mode_page;
bool opened_for_data;
__s64 last_media_change_ms;
};
struct cdrom_device_ops {
/* routines */
int (*open) (struct cdrom_device_info *, int);
void (*release) (struct cdrom_device_info *);
int (*drive_status) (struct cdrom_device_info *, int);
unsigned int (*check_events) (struct cdrom_device_info *cdi,
unsigned int clearing, int slot);
int (*tray_move) (struct cdrom_device_info *, int);
int (*lock_door) (struct cdrom_device_info *, int);
int (*select_speed) (struct cdrom_device_info *, unsigned long);
int (*get_last_session) (struct cdrom_device_info *,
struct cdrom_multisession *);
int (*get_mcn) (struct cdrom_device_info *,
struct cdrom_mcn *);
/* hard reset device */
int (*reset) (struct cdrom_device_info *);
/* play stuff */
int (*audio_ioctl) (struct cdrom_device_info *,unsigned int, void *);
/* handle uniform packets for scsi type devices (scsi,atapi) */
int (*generic_packet) (struct cdrom_device_info *,
struct packet_command *);
int (*read_cdda_bpc)(struct cdrom_device_info *cdi, void __user *ubuf,
u32 lba, u32 nframes, u8 *last_sense);
/* driver specifications */
const int capability; /* capability flags */
};
int cdrom_multisession(struct cdrom_device_info *cdi,
struct cdrom_multisession *info);
int cdrom_read_tocentry(struct cdrom_device_info *cdi,
struct cdrom_tocentry *entry);
/* the general block_device operations structure: */
int cdrom_open(struct cdrom_device_info *cdi, blk_mode_t mode);
void cdrom_release(struct cdrom_device_info *cdi);
int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
unsigned int cmd, unsigned long arg);
extern unsigned int cdrom_check_events(struct cdrom_device_info *cdi,
unsigned int clearing);
extern int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi);
extern void unregister_cdrom(struct cdrom_device_info *cdi);
typedef struct {
int data;
int audio;
int cdi;
int xa;
long error;
} tracktype;
extern int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written);
extern int cdrom_number_of_slots(struct cdrom_device_info *cdi);
extern int cdrom_mode_select(struct cdrom_device_info *cdi,
struct packet_command *cgc);
extern int cdrom_mode_sense(struct cdrom_device_info *cdi,
struct packet_command *cgc,
int page_code, int page_control);
extern void init_cdrom_command(struct packet_command *cgc,
void *buffer, int len, int type);
extern int cdrom_dummy_generic_packet(struct cdrom_device_info *cdi,
struct packet_command *cgc);
/* The SCSI spec says there could be 256 slots. */
#define CDROM_MAX_SLOTS 256
struct cdrom_mechstat_header {
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 fault : 1;
__u8 changer_state : 2;
__u8 curslot : 5;
__u8 mech_state : 3;
__u8 door_open : 1;
__u8 reserved1 : 4;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 curslot : 5;
__u8 changer_state : 2;
__u8 fault : 1;
__u8 reserved1 : 4;
__u8 door_open : 1;
__u8 mech_state : 3;
#endif
__u8 curlba[3];
__u8 nslots;
__u16 slot_tablelen;
};
struct cdrom_slot {
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 disc_present : 1;
__u8 reserved1 : 6;
__u8 change : 1;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 change : 1;
__u8 reserved1 : 6;
__u8 disc_present : 1;
#endif
__u8 reserved2[3];
};
struct cdrom_changer_info {
struct cdrom_mechstat_header hdr;
struct cdrom_slot slots[CDROM_MAX_SLOTS];
};
typedef enum {
mechtype_caddy = 0,
mechtype_tray = 1,
mechtype_popup = 2,
mechtype_individual_changer = 4,
mechtype_cartridge_changer = 5
} mechtype_t;
typedef struct {
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 ps : 1;
__u8 reserved1 : 1;
__u8 page_code : 6;
__u8 page_length;
__u8 reserved2 : 1;
__u8 bufe : 1;
__u8 ls_v : 1;
__u8 test_write : 1;
__u8 write_type : 4;
__u8 multi_session : 2; /* or border, DVD */
__u8 fp : 1;
__u8 copy : 1;
__u8 track_mode : 4;
__u8 reserved3 : 4;
__u8 data_block_type : 4;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 page_code : 6;
__u8 reserved1 : 1;
__u8 ps : 1;
__u8 page_length;
__u8 write_type : 4;
__u8 test_write : 1;
__u8 ls_v : 1;
__u8 bufe : 1;
__u8 reserved2 : 1;
__u8 track_mode : 4;
__u8 copy : 1;
__u8 fp : 1;
__u8 multi_session : 2; /* or border, DVD */
__u8 data_block_type : 4;
__u8 reserved3 : 4;
#endif
__u8 link_size;
__u8 reserved4;
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 reserved5 : 2;
__u8 app_code : 6;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 app_code : 6;
__u8 reserved5 : 2;
#endif
__u8 session_format;
__u8 reserved6;
__be32 packet_size;
__u16 audio_pause;
__u8 mcn[16];
__u8 isrc[16];
__u8 subhdr0;
__u8 subhdr1;
__u8 subhdr2;
__u8 subhdr3;
} __attribute__((packed)) write_param_page;
struct modesel_head
{
__u8 reserved1;
__u8 medium;
__u8 reserved2;
__u8 block_desc_length;
__u8 density;
__u8 number_of_blocks_hi;
__u8 number_of_blocks_med;
__u8 number_of_blocks_lo;
__u8 reserved3;
__u8 block_length_hi;
__u8 block_length_med;
__u8 block_length_lo;
};
typedef struct {
__u16 report_key_length;
__u8 reserved1;
__u8 reserved2;
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 type_code : 2;
__u8 vra : 3;
__u8 ucca : 3;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 ucca : 3;
__u8 vra : 3;
__u8 type_code : 2;
#endif
__u8 region_mask;
__u8 rpc_scheme;
__u8 reserved3;
} rpc_state_t;
struct event_header {
__be16 data_len;
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 nea : 1;
__u8 reserved1 : 4;
__u8 notification_class : 3;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 notification_class : 3;
__u8 reserved1 : 4;
__u8 nea : 1;
#endif
__u8 supp_event_class;
};
struct media_event_desc {
#if defined(__BIG_ENDIAN_BITFIELD)
__u8 reserved1 : 4;
__u8 media_event_code : 4;
__u8 reserved2 : 6;
__u8 media_present : 1;
__u8 door_open : 1;
#elif defined(__LITTLE_ENDIAN_BITFIELD)
__u8 media_event_code : 4;
__u8 reserved1 : 4;
__u8 door_open : 1;
__u8 media_present : 1;
__u8 reserved2 : 6;
#endif
__u8 start_slot;
__u8 end_slot;
};
extern int cdrom_get_media_event(struct cdrom_device_info *cdi, struct media_event_desc *med);
static inline void lba_to_msf(int lba, u8 *m, u8 *s, u8 *f)
{
lba += CD_MSF_OFFSET;
lba &= 0xffffff; /* negative lbas use only 24 bits */
*m = lba / (CD_SECS * CD_FRAMES);
lba %= (CD_SECS * CD_FRAMES);
*s = lba / CD_FRAMES;
*f = lba % CD_FRAMES;
}
static inline int msf_to_lba(u8 m, u8 s, u8 f)
{
return (((m * CD_SECS) + s) * CD_FRAMES + f) - CD_MSF_OFFSET;
}
#endif /* _LINUX_CDROM_H */