* [PATCH] dm: fix a buffer overflow in ioctl processing
@ 2026-04-09 15:49 Mikulas Patocka
2026-04-09 16:42 ` Bryn M. Reeves
0 siblings, 1 reply; 2+ messages in thread
From: Mikulas Patocka @ 2026-04-09 15:49 UTC (permalink / raw)
To: dm-devel
Cc: Tony Asleson, Alasdair Kergon, Zdenek Kabelac, Bryn M. Reeves,
Benjamin Marzinski
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:
1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer
Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally
Reported-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
---
drivers/md/dm-ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
Index: linux-dm/drivers/md/dm-ioctl.c
===================================================================
--- linux-dm.orig/drivers/md/dm-ioctl.c 2026-04-08 16:14:34.000000000 +0200
+++ linux-dm/drivers/md/dm-ioctl.c 2026-04-08 21:11:11.000000000 +0200
@@ -1356,6 +1356,10 @@ static void retrieve_status(struct dm_ta
used = param->data_start + (outptr - outbuf);
outptr = align_ptr(outptr);
+ if (!outptr || outptr > outbuf + len) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ break;
+ }
spec->next = outptr - outbuf;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] dm: fix a buffer overflow in ioctl processing
2026-04-09 15:49 [PATCH] dm: fix a buffer overflow in ioctl processing Mikulas Patocka
@ 2026-04-09 16:42 ` Bryn M. Reeves
0 siblings, 0 replies; 2+ messages in thread
From: Bryn M. Reeves @ 2026-04-09 16:42 UTC (permalink / raw)
To: Mikulas Patocka
Cc: dm-devel, Tony Asleson, Alasdair Kergon, Zdenek Kabelac,
Benjamin Marzinski
On Thu, Apr 09, 2026 at 05:49:58PM +0200, Mikulas Patocka wrote:
> Luckily, this bug has no security implications because:
> 1. Only root can issue device mapper ioctls
> 2. The commonly used libraries that communicate with device mapper
> (libdevmapper and devicemapper-rs) use buffer size that is aligned to
> 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
> buffer and the bug can't happen accidentally
>
> Reported-by: Tony Asleson <tasleson@redhat.com>
> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Bryn M. Reeves <bmr@redhat.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-09 16:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 15:49 [PATCH] dm: fix a buffer overflow in ioctl processing Mikulas Patocka
2026-04-09 16:42 ` Bryn M. Reeves
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox