[PATCH] brd: prevent overflow caused by too large rd_size parameter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Satoru Takeuchi <satoru.takeuchi@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>, Jan Kara <jack@suse.cz>
Subject: [PATCH] brd: prevent overflow caused by too large rd_size parameter
Date: Fri, 22 Sep 2017 13:10:10 +0900	[thread overview]
Message-ID: <87r2uze5lp.wl-satoru.takeuchi@gmail.com> (raw)

The max value of rd_size parameter is ULONG_MAX from the following commit.

Commit 366f4aea649a65c3735d91b4409d84c771811290 ("brd: Switch rd_size
to unsigned long")

However, this parameter * 1024 will be set as inode->i_size corresponding
to brd devices and it's a signed value. To prevent overflow, this parameter
should be equal to or smaller than the max value of sector_t >> 11, 10 bits
are for 1024 and 1 bit is for sign bit.

Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
---
 drivers/block/brd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index 104b71c..2b00e7d 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -546,6 +546,14 @@ static int __init brd_init(void)
 	 *	dynamically.
 	 */
 
+	/*
+	 * rd_size * 1024 will be set as its inode->i_size and it's a signed
+	 * value. So rd_size should be equal to or smaller than the max value
+	 * of sector_t >> 11, 10 bits are for 1024 and 1 bit is for sign bit.
+	 */
+	if (rd_size >> (sizeof(sector_t) * 8 - 11))
+		return -EINVAL;
+
 	if (register_blkdev(RAMDISK_MAJOR, "ramdisk"))
 		return -EIO;
 
-- 
2.7.4

                 reply	other threads:[~2017-09-22  4:10 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:104b71c dfblob:2b00e7d )
 OR (
bs:"[PATCH] brd: prevent overflow caused by too large rd_size parameter" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r2uze5lp.wl-satoru.takeuchi@gmail.com \
    --to=satoru.takeuchi@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=jack@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.