From: linan666@huaweicloud.com
To: axboe@kernel.dk, geliang.tang@suse.com, xni@redhat.com, colyli@suse.de
Cc: ira.weiny@intel.com, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, linan666@huaweicloud.com,
yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com,
yangerkun@huawei.com
Subject: [PATCH 3/4] badblocks: fix slab-out-of-bounds in _badblocks_check()
Date: Sat, 23 Dec 2023 14:37:27 +0800 [thread overview]
Message-ID: <20231223063728.3229446-4-linan666@huaweicloud.com> (raw)
In-Reply-To: <20231223063728.3229446-1-linan666@huaweicloud.com>
From: Li Nan <linan122@huawei.com>
prev_badblocks() will return -1 if checked range start < p[0]. Accessing
p[-1] will cause bug as below:
BUG: KASAN: slab-out-of-bounds in badblocks_check+0x2c4
Fix it by checking 'prev' before accessing badblocks->page.
Fixes: 3ea3354cb9f0 ("badblocks: improve badblocks_check() for multiple ranges handling")
Signed-off-by: Li Nan <linan122@huawei.com>
---
block/badblocks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/badblocks.c b/block/badblocks.c
index 054d05b93641..71a3e43351da 100644
--- a/block/badblocks.c
+++ b/block/badblocks.c
@@ -1316,7 +1316,7 @@ static int _badblocks_check(struct badblocks *bb, sector_t s, int sectors,
goto out;
}
- if (overlap_front(bb, prev, &bad)) {
+ if (prev >= 0 && overlap_front(bb, prev, &bad)) {
if (set == 0) {
*first_bad = BB_OFFSET(p[prev]);
*bad_sectors = BB_LEN(p[prev]);
--
2.39.2
next prev parent reply other threads:[~2023-12-23 6:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-23 6:37 [PATCH 0/4] badblocks: bugfix and cleanup of _badblocks_check() linan666
2023-12-23 6:37 ` [PATCH 1/4] badblocks: goto out if find any unacked badblocks in _badblocks_check() linan666
2023-12-23 6:37 ` [PATCH 2/4] badblocks: optimize _badblocks_check() linan666
2023-12-23 6:37 ` linan666 [this message]
2023-12-23 6:37 ` [PATCH 4/4] badblocks: clean up prev_badblocks() linan666
2023-12-23 17:28 ` [PATCH 0/4] badblocks: bugfix and cleanup of _badblocks_check() Ira Weiny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231223063728.3229446-4-linan666@huaweicloud.com \
--to=linan666@huaweicloud.com \
--cc=axboe@kernel.dk \
--cc=colyli@suse.de \
--cc=geliang.tang@suse.com \
--cc=houtao1@huawei.com \
--cc=ira.weiny@intel.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=xni@redhat.com \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox