* [PATCH 0/2] dm vdo: additional metadata validation
@ 2026-02-11 15:05 Matthew Sakai
2026-02-11 15:05 ` [PATCH 1/2] dm vdo indexer: validate saved zone count Matthew Sakai
2026-02-11 15:05 ` [PATCH 2/2] dm vdo slab-depot: validate old zone count on load Matthew Sakai
0 siblings, 2 replies; 4+ messages in thread
From: Matthew Sakai @ 2026-02-11 15:05 UTC (permalink / raw)
To: dm-devel; +Cc: Matthew Sakai
We identified a few places where dm-vdo uses a value from
storage without sanity-checking that its value makes sense.
Adding additional checks can prevent additional metadata
corruption in the unusual cases where these values get
corrupted.
Matthew Sakai (2):
dm vdo indexer: validate saved zone count
dm vdo slab-depot: validate old zone count on load
drivers/md/dm-vdo/indexer/index-layout.c | 3 +++
drivers/md/dm-vdo/slab-depot.c | 4 ++++
2 files changed, 7 insertions(+)
--
2.48.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] dm vdo indexer: validate saved zone count
2026-02-11 15:05 [PATCH 0/2] dm vdo: additional metadata validation Matthew Sakai
@ 2026-02-11 15:05 ` Matthew Sakai
2026-02-18 20:26 ` Matthew Sakai
2026-02-11 15:05 ` [PATCH 2/2] dm vdo slab-depot: validate old zone count on load Matthew Sakai
1 sibling, 1 reply; 4+ messages in thread
From: Matthew Sakai @ 2026-02-11 15:05 UTC (permalink / raw)
To: dm-devel; +Cc: Matthew Sakai
Verify that the loaded zone count is in the valid range
before using it as a loop iterator.
Signed-off-by: Matthew Sakai <msakai@redhat.com>
---
drivers/md/dm-vdo/indexer/index-layout.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/md/dm-vdo/indexer/index-layout.c b/drivers/md/dm-vdo/indexer/index-layout.c
index 61edf2b72427..37144249f7ba 100644
--- a/drivers/md/dm-vdo/indexer/index-layout.c
+++ b/drivers/md/dm-vdo/indexer/index-layout.c
@@ -1445,6 +1445,9 @@ static int __must_check reconstruct_index_save(struct index_save_layout *isl,
u64 last_block = next_block + isl->index_save.block_count;
isl->zone_count = table->header.region_count - 3;
+ if (isl->zone_count > MAX_ZONES)
+ return vdo_log_error_strerror(UDS_CORRUPT_DATA,
+ "invalid zone count");
last_region = &table->regions[table->header.region_count - 1];
if (last_region->kind == RL_KIND_EMPTY) {
--
2.48.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] dm vdo slab-depot: validate old zone count on load
2026-02-11 15:05 [PATCH 0/2] dm vdo: additional metadata validation Matthew Sakai
2026-02-11 15:05 ` [PATCH 1/2] dm vdo indexer: validate saved zone count Matthew Sakai
@ 2026-02-11 15:05 ` Matthew Sakai
1 sibling, 0 replies; 4+ messages in thread
From: Matthew Sakai @ 2026-02-11 15:05 UTC (permalink / raw)
To: dm-devel; +Cc: Matthew Sakai
Verify the old zone count has a valid value before using
it to compute slab summary entry offsets.
Signed-off-by: Matthew Sakai <msakai@redhat.com>
---
drivers/md/dm-vdo/slab-depot.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/md/dm-vdo/slab-depot.c b/drivers/md/dm-vdo/slab-depot.c
index 034ecaa51f48..ad00afc2c168 100644
--- a/drivers/md/dm-vdo/slab-depot.c
+++ b/drivers/md/dm-vdo/slab-depot.c
@@ -4262,6 +4262,10 @@ int vdo_decode_slab_depot(struct slab_depot_state_2_0 state, struct vdo *vdo,
}
slab_size_shift = ilog2(slab_size);
+ if (state.zone_count > MAX_VDO_PHYSICAL_ZONES)
+ return vdo_log_error_strerror(UDS_CORRUPT_DATA,
+ "invalid zone count");
+
result = vdo_allocate_extended(struct slab_depot,
vdo->thread_config.physical_zone_count,
struct block_allocator, __func__, &depot);
--
2.48.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] dm vdo indexer: validate saved zone count
2026-02-11 15:05 ` [PATCH 1/2] dm vdo indexer: validate saved zone count Matthew Sakai
@ 2026-02-18 20:26 ` Matthew Sakai
0 siblings, 0 replies; 4+ messages in thread
From: Matthew Sakai @ 2026-02-18 20:26 UTC (permalink / raw)
To: dm-devel
I just found a bug in this. The new check is actually too strict
and prevents some valid cases from working correctly.
Please ignore this version. I'll send an update once I'm sure I've got
it right.
Matt
On 2/11/26 10:05 AM, Matthew Sakai wrote:
> Verify that the loaded zone count is in the valid range
> before using it as a loop iterator.
>
> Signed-off-by: Matthew Sakai <msakai@redhat.com>
> ---
> drivers/md/dm-vdo/indexer/index-layout.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/md/dm-vdo/indexer/index-layout.c b/drivers/md/dm-vdo/indexer/index-layout.c
> index 61edf2b72427..37144249f7ba 100644
> --- a/drivers/md/dm-vdo/indexer/index-layout.c
> +++ b/drivers/md/dm-vdo/indexer/index-layout.c
> @@ -1445,6 +1445,9 @@ static int __must_check reconstruct_index_save(struct index_save_layout *isl,
> u64 last_block = next_block + isl->index_save.block_count;
>
> isl->zone_count = table->header.region_count - 3;
> + if (isl->zone_count > MAX_ZONES)
> + return vdo_log_error_strerror(UDS_CORRUPT_DATA,
> + "invalid zone count");
>
> last_region = &table->regions[table->header.region_count - 1];
> if (last_region->kind == RL_KIND_EMPTY) {
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-18 20:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-11 15:05 [PATCH 0/2] dm vdo: additional metadata validation Matthew Sakai
2026-02-11 15:05 ` [PATCH 1/2] dm vdo indexer: validate saved zone count Matthew Sakai
2026-02-18 20:26 ` Matthew Sakai
2026-02-11 15:05 ` [PATCH 2/2] dm vdo slab-depot: validate old zone count on load Matthew Sakai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox