In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.

Affected Package

OS OS Version Package Name Package Version
ubuntu 19.04 linux 5.0.0-27.28
ubuntu 12.04 linux any
ubuntu 14.04 linux any
ubuntu upstream linux 5.3~rc1
ubuntu 16.04 linux 4.4.0-161.189
ubuntu 19.04 linux-aws 5.0.0-1014.16
ubuntu 14.04 linux-aws any
ubuntu upstream linux-aws 5.3~rc1
ubuntu 16.04 linux-aws 4.4.0-1092.103
ubuntu upstream linux-aws-5.0 5.3~rc1
ubuntu upstream linux-aws-hwe 5.3~rc1
ubuntu 16.04 linux-aws-hwe 4.15.0-1047.49~16.04.1
ubuntu 19.04 linux-azure 5.0.0-1018.19
ubuntu 14.04 linux-azure any
ubuntu upstream linux-azure 5.3~rc1
ubuntu 16.04 linux-azure 4.15.0-1056.61
ubuntu upstream linux-azure-5.3 5.3~rc1
ubuntu upstream linux-azure-edge 5.3~rc1
ubuntu 16.04 linux-azure-edge 4.15.0-1056.61
ubuntu upstream linux-euclid 5.3~rc1
ubuntu 16.04 linux-euclid any
ubuntu upstream linux-flo 5.3~rc1
ubuntu 19.04 linux-gcp 5.0.0-1015.15
ubuntu upstream linux-gcp 5.3~rc1
ubuntu 16.04 linux-gcp 4.15.0-1041.43
ubuntu upstream linux-gcp-5.3 5.3~rc1
ubuntu upstream linux-gcp-edge 5.3~rc1
ubuntu upstream linux-gke 5.3~rc1
ubuntu upstream linux-gke-4.15 5.3~rc1
ubuntu upstream linux-gke-5.0 5.3~rc1
ubuntu upstream linux-goldfish 5.3~rc1
ubuntu upstream linux-grouper 5.3~rc1
ubuntu upstream linux-hwe 5.3~rc1
ubuntu 16.04 linux-hwe 4.15.0-60.67~16.04.1
ubuntu upstream linux-hwe-edge 5.3~rc1
ubuntu 16.04 linux-hwe-edge 4.15.0-60.67~16.04.1
ubuntu 19.04 linux-kvm 5.0.0-1015.16
ubuntu upstream linux-kvm 5.3~rc1
ubuntu 16.04 linux-kvm 4.4.0-1056.63
ubuntu 12.04 linux-lts-trusty any
ubuntu upstream linux-lts-trusty 5.3~rc1
ubuntu upstream linux-lts-utopic 5.3~rc1
ubuntu upstream linux-lts-vivid 5.3~rc1
ubuntu upstream linux-lts-wily 5.3~rc1
ubuntu 14.04 linux-lts-xenial any
ubuntu upstream linux-lts-xenial 5.3~rc1
ubuntu upstream linux-maguro 5.3~rc1
ubuntu upstream linux-mako 5.3~rc1
ubuntu upstream linux-manta 5.3~rc1
ubuntu 19.04 linux-oem was pending \[4.15.0-1056.65\] now end-of-life
ubuntu 19.10 linux-oem 4.15.0-1059.68
ubuntu upstream linux-oem 5.3~rc1
ubuntu 16.04 linux-oem any
ubuntu upstream linux-oem-5.4 5.3~rc1
ubuntu 19.04 linux-oem-osp1 was pending \[5.0.0-1022.24\] now end-of-life
ubuntu 19.10 linux-oem-osp1 5.0.0-1022.24
ubuntu upstream linux-oem-osp1 5.3~rc1
ubuntu 19.04 linux-oracle 5.0.0-1004.8
ubuntu upstream linux-oracle 5.3~rc1
ubuntu 16.04 linux-oracle 4.15.0-1022.25~16.04.1
ubuntu upstream linux-oracle-5.0 5.3~rc1
ubuntu 19.04 linux-raspi2 5.0.0-1015.15
ubuntu upstream linux-raspi2 5.3~rc1
ubuntu 16.04 linux-raspi2 4.4.0-1120.129
ubuntu upstream linux-raspi2-5.3 5.3~rc1
ubuntu 19.04 linux-snapdragon 5.0.0-1019.20
ubuntu upstream linux-snapdragon 5.3~rc1
ubuntu 16.04 linux-snapdragon 4.4.0-1124.130