Re: [PATCH] fdc: check drive block device before usage (CVE-2021-20196)

[P J P]

  Hello John,

+-- On Tue, 18 May 2021, John Snow wrote --+
| Annotated:
| 
| # fdctrl->cur_drv starts at 0x00
| # fdctrl->dor starts at 0x0c (DMA, RESET#)
| # fdctrl->dsr starts at 0x00
| 
| > outb 0x3f2 0x04
| fdc_ioport_write write reg 0x02 [DOR] Digital Output Register val 0x04
|   DOR changed from default after SeaBIOS init from 0x0c to 0x04
|   DMA GATE# (0x08) set from 1 --> 0
|   DMA GATE# appears needed to coerce fdc into a "non-dma transfer".
|   +RESET# remains on. Needed to avoid engaging RESET routine.
| 
| > outb 0x3f4 0x03
| fdc_ioport_write write reg 0x04 [DSR] Date Rate Select Register val 0x03
|   DSR: +DRATE SEL1
|   DSR: +DRATE SEL0
|   Needed to prevent "data rate mismatch" error handling by write cmd.
| 
| The next 9 bytes (all to 0x3f5) set up the write command.
| 
| 0x25 selects the "Write (BeOS)" command.
| 0x01 selects drive1.
| ...
| 0x01 appears to say that a sector is "1 byte", but oddly enough no other value
| seems to trigger this crash. Not sure why. Recommend investigating if you have
| time. Could be transfer length calculation bug.
| 
| > outb 0x3f3 0x04
| fdc_ioport_write write reg 0x03 [TDR] Tape Drive Register val 0x04
|     TDR: +BOOTSEL
|     This changes the meaning of cur_drv and flips selection (as far as 
| I can tell) back to drive0 instead of the command's programmed drive1.
| 
| > outb 0x3f5 0x00
| fdc_ioport_write write reg 0x05 [FIFO] Data val 0x00
|     write is attempted on "drv1" which due to BOOTSEL maps back to "drv0",
| which is undefined.
| 
| This should (I hope) help guide to write a more targeted patch and a good
| qtest case.

* Cool, thank you so much for these details John, I appreciate it.

* I'll go through the 3 fdc issues we've found open and try to fix them 
  together as one series.


Thank you.
--
 - P J P
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D