Linux block layer
 help / color / mirror / Atom feed
* [PATCH] drbd: reject oversized DataReply before signed conversion
@ 2026-06-30 10:59 Tianchu Chen
  2026-07-10 10:34 ` Christoph Böhmwalder
  0 siblings, 1 reply; 2+ messages in thread
From: Tianchu Chen @ 2026-06-30 10:59 UTC (permalink / raw)
  To: philipp.reisner, lars.ellenberg, christoph.boehmwalder
  Cc: drbd-dev, linux-block, linux-kernel, axboe

From: Tianchu Chen <flynnnchen@tencent.com>

Discovered by Atuin - Automated Vulnerability Discovery Engine.

Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
signed size argument so a bogus remote peer cannot wrap the length negative
and turn it into a huge heap OOB-write.

Fixes: b411b3637fa7 ("The DRBD driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
---
 drivers/block/drbd/drbd_receiver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 58b95bf4b..5bd3df483 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -24,6 +24,7 @@
 #include <linux/memcontrol.h>
 #include <linux/mm_inline.h>
 #include <linux/slab.h>
+#include <linux/limits.h>
 #include <uapi/linux/sched/types.h>
 #include <linux/sched/signal.h>
 #include <linux/pkt_sched.h>
@@ -1947,6 +1948,9 @@ static int receive_DataReply(struct drbd_connection *connection, struct packet_i
 	if (unlikely(!req))
 		return -EIO;
 
+	if (pi->size > INT_MAX)
+		return -EINVAL;
+
 	err = recv_dless_read(peer_device, req, sector, pi->size);
 	if (!err)
 		req_mod(req, DATA_RECEIVED, peer_device);
-- 
2.51.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] drbd: reject oversized DataReply before signed conversion
  2026-06-30 10:59 [PATCH] drbd: reject oversized DataReply before signed conversion Tianchu Chen
@ 2026-07-10 10:34 ` Christoph Böhmwalder
  0 siblings, 0 replies; 2+ messages in thread
From: Christoph Böhmwalder @ 2026-07-10 10:34 UTC (permalink / raw)
  To: Tianchu Chen
  Cc: philipp.reisner, lars.ellenberg, drbd-dev, linux-block,
	linux-kernel, axboe

On Tue, Jun 30, 2026 at 10:59:31AM +0000, Tianchu Chen wrote:
>From: Tianchu Chen <flynnnchen@tencent.com>
>
>Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
>Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
>signed size argument so a bogus remote peer cannot wrap the length negative
>and turn it into a huge heap OOB-write.
>
>Fixes: b411b3637fa7 ("The DRBD driver")
>Cc: stable@vger.kernel.org
>Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>

This is similar to [0], but the mentioned patch is a more complete fix. 
There is also a case in recv_dless_read where data_size can underflow 
when a data-integrity-alg is configured.

The other patch catches this case as well by placing the guard later, so 
I would prefer to apply that one instead of this.

Thanks,
Christoph

[0] https://lore.kernel.org/all/20260710022837.3738461-1-michael.bommarito@gmail.com/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-10 10:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 10:59 [PATCH] drbd: reject oversized DataReply before signed conversion Tianchu Chen
2026-07-10 10:34 ` Christoph Böhmwalder

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox