* [PATCH] brd: prevent overflow caused by too large rd_size parameter
@ 2017-09-22 4:10 Satoru Takeuchi
0 siblings, 0 replies; only message in thread
From: Satoru Takeuchi @ 2017-09-22 4:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Jens Axboe, Jan Kara
The max value of rd_size parameter is ULONG_MAX from the following commit.
Commit 366f4aea649a65c3735d91b4409d84c771811290 ("brd: Switch rd_size
to unsigned long")
However, this parameter * 1024 will be set as inode->i_size corresponding
to brd devices and it's a signed value. To prevent overflow, this parameter
should be equal to or smaller than the max value of sector_t >> 11, 10 bits
are for 1024 and 1 bit is for sign bit.
Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
---
drivers/block/brd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index 104b71c..2b00e7d 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -546,6 +546,14 @@ static int __init brd_init(void)
* dynamically.
*/
+ /*
+ * rd_size * 1024 will be set as its inode->i_size and it's a signed
+ * value. So rd_size should be equal to or smaller than the max value
+ * of sector_t >> 11, 10 bits are for 1024 and 1 bit is for sign bit.
+ */
+ if (rd_size >> (sizeof(sector_t) * 8 - 11))
+ return -EINVAL;
+
if (register_blkdev(RAMDISK_MAJOR, "ramdisk"))
return -EIO;
--
2.7.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-09-22 4:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-22 4:10 [PATCH] brd: prevent overflow caused by too large rd_size parameter Satoru Takeuchi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.