[PATCH] block: fix integer overflow in BLKSECDISCARD

linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] block: fix integer overflow in BLKSECDISCARD
@ 2024-09-03 19:48 Alexey Dobriyan
  2024-09-04  4:31 ` Christoph Hellwig
  2024-09-04 14:01 ` Jens Axboe
  0 siblings, 2 replies; 4+ messages in thread
From: Alexey Dobriyan @ 2024-09-03 19:48 UTC (permalink / raw)
  To: Jens Axboe; +Cc: linux-block

I independently rediscovered

	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
	block: fix overflow in blk_ioctl_discard()

but for secure erase.

Same problem:

	uint64_t r[2] = {512, 18446744073709551104ULL};
	ioctl(fd, BLKSECDISCARD, r);

will enter near infinite loop inside blkdev_issue_secure_erase():

	a.out: attempt to access beyond end of device
	loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
	bio_check_eod: 3286214 callbacks suppressed

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 block/ioctl.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -126,7 +126,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode,
 		return -EINVAL;
 
 	filemap_invalidate_lock(bdev->bd_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (err)
 		goto fail;
 
@@ -163,7 +163,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode,
 static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
 		void __user *argp)
 {
-	uint64_t start, len;
+	uint64_t start, len, end;
 	uint64_t range[2];
 	int err;
 
@@ -178,11 +178,12 @@ static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
 	len = range[1];
 	if ((start & 511) || (len & 511))
 		return -EINVAL;
-	if (start + len > bdev_nr_bytes(bdev))
+	if (check_add_overflow(start, len, &end) ||
+	    end > bdev_nr_bytes(bdev))
 		return -EINVAL;
 
 	filemap_invalidate_lock(bdev->bd_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (!err)
 		err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9,
 						GFP_KERNEL);

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix integer overflow in BLKSECDISCARD
  2024-09-03 19:48 [PATCH] block: fix integer overflow in BLKSECDISCARD Alexey Dobriyan
@ 2024-09-04  4:31 ` Christoph Hellwig
  2024-09-04 11:23   ` Alexey Dobriyan
  2024-09-04 14:01 ` Jens Axboe
  1 sibling, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2024-09-04  4:31 UTC (permalink / raw)
  To: Alexey Dobriyan; +Cc: Jens Axboe, linux-block

Do you actually have a test setup for BLKSECDISCARD?  Given that
I've been ubable to get anyone to actually help with teting it
we might be better off just removing it..


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix integer overflow in BLKSECDISCARD
  2024-09-04  4:31 ` Christoph Hellwig
@ 2024-09-04 11:23   ` Alexey Dobriyan
  0 siblings, 0 replies; 4+ messages in thread
From: Alexey Dobriyan @ 2024-09-04 11:23 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: Jens Axboe, linux-block

On Tue, Sep 03, 2024 at 09:31:11PM -0700, Christoph Hellwig wrote:
> Do you actually have a test setup for BLKSECDISCARD?

No, of course not. It was "delete every -EOPNOTSUPP" until bug
reproduces.

> Given that
> I've been ubable to get anyone to actually help with teting it
> we might be better off just removing it..

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix integer overflow in BLKSECDISCARD
  2024-09-03 19:48 [PATCH] block: fix integer overflow in BLKSECDISCARD Alexey Dobriyan
  2024-09-04  4:31 ` Christoph Hellwig
@ 2024-09-04 14:01 ` Jens Axboe
  1 sibling, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2024-09-04 14:01 UTC (permalink / raw)
  To: Alexey Dobriyan; +Cc: linux-block


On Tue, 03 Sep 2024 22:48:19 +0300, Alexey Dobriyan wrote:
> I independently rediscovered
> 
> 	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
> 	block: fix overflow in blk_ioctl_discard()
> 
> but for secure erase.
> 
> [...]

Applied, thanks!

[1/1] block: fix integer overflow in BLKSECDISCARD
      commit: 697ba0b6ec4ae04afb67d3911799b5e2043b4455

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-09-04 14:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-03 19:48 [PATCH] block: fix integer overflow in BLKSECDISCARD Alexey Dobriyan
2024-09-04  4:31 ` Christoph Hellwig
2024-09-04 11:23   ` Alexey Dobriyan
2024-09-04 14:01 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).