Re: [PATCH] partitions: aix: bound the pp_count scan to the ppe array

[Philippe De Muyter <phdm@macqel.be>]

Hello Bryam,

On Sun, Jun 07, 2026 at 06:41:43AM +0000, Bryam Vargas wrote:
> aix_partition() reads the physical volume descriptor into a fixed-size
> struct pvd and then scans its physical-partition-extent array:
> 
> 	int numpps = be16_to_cpu(pvd->pp_count);
> 	...
> 	for (i = 0; i < numpps; i += 1) {
> 		struct ppe *p = pvd->ppe + i;
> 		...
> 		lp_ix = be16_to_cpu(p->lp_ix);
> 
> pvd points at a single kmalloc()'d struct pvd whose ppe[] member holds a
> fixed ARRAY_SIZE(pvd->ppe) (1016) entries, but the loop runs up to the
> on-disk pp_count.  pp_count is an unvalidated __be16 read straight from
> the descriptor, so a crafted AIX image with pp_count larger than 1016
> drives the loop to read pvd->ppe[i] past the end of the allocation (up to
> 65535 entries, ~2 MB out of bounds).
> 
> The partition scan runs without mounting anything, when a block device
> with a crafted AIX/IBM partition table appears (an attacker-supplied
> image attached with losetup -P, or a device auto-scanned by udev), via
> msdos_partition() -> aix_partition().
> 
> Clamp the scan to the number of entries the ppe[] array can hold.
> 
> Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
> ---
> Reproduced on v7.1-rc6 with KASAN (CONFIG_PARTITION_ADVANCED +
> CONFIG_AIX_PARTITION).  A crafted disk image whose AIX/IBM partition table
> sets pp_count to 0xffff, attached with `losetup -fP image.img` (in-kernel
> partition scan, no mount), is reported by KASAN:
> 
>   BUG: KASAN: slab-out-of-bounds in aix_partition+0xb6e/0xee0
>   Read of size 2 at addr ... by task losetup
>    aix_partition
>    msdos_partition
>    bdev_disk_changed
>    loop_reread_partitions
>    loop_configure
>    lo_ioctl
>    __x64_sys_ioctl
> 
> i.e. a read past the end of the kmalloc(sizeof(struct pvd)) object.  A control
> image with pp_count == 1016 (== ARRAY_SIZE(pvd->ppe)) is clean.  With this
> patch the crafted image is parsed with no out-of-bounds access.
> 
> This is the read-loop sibling of the lvd scan bounded by Michael Bommarito's
> "partitions: aix: bound the lvd scan to one sector"; that change does not
> touch the pp_count/ppe[] loop, so the two are complementary (separate hunks).
> 
>  block/partitions/aix.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/block/partitions/aix.c b/block/partitions/aix.c
> index 29b8f4cebb63..f3c4174e003e 100644
> --- a/block/partitions/aix.c
> +++ b/block/partitions/aix.c
> @@ -226,6 +226,15 @@ int aix_partition(struct parsed_partitions *state)
>  		int next_lp_ix = 1;
>  		int lp_ix;
>  
> +		/*
> +		 * pvd was read into a fixed-size struct pvd whose ppe[] array
> +		 * holds ARRAY_SIZE(pvd->ppe) entries.  pp_count is an
> +		 * unvalidated on-disk __be16, so clamp the scan to the array
> +		 * size to avoid walking past the allocation.
> +		 */
> +		if (numpps > ARRAY_SIZE(pvd->ppe))
> +			numpps = ARRAY_SIZE(pvd->ppe);
> +
>  		for (i = 0; i < numpps; i += 1) {
>  			struct ppe *p = pvd->ppe + i;
>  			unsigned int lv_ix;
> -- 
> 2.43.0

Thank you for your patch.

Acked-by: Philippe De Muyter <phdm@macqel.be>

Best regards

Philippe