From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zhong Jinghua <zhongjinghua@huawei.com>,
Yu Kuai <yukuai3@huawei.com>, Josef Bacik <josef@toxicpanda.com>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org, nbd@other.debian.org
Subject: [PATCH AUTOSEL 5.15 26/30] nbd: fix incomplete validation of ioctl arg
Date: Thu, 4 May 2023 15:48:19 -0400 [thread overview]
Message-ID: <20230504194824.3808028-26-sashal@kernel.org> (raw)
In-Reply-To: <20230504194824.3808028-1-sashal@kernel.org>
From: Zhong Jinghua <zhongjinghua@huawei.com>
[ Upstream commit 55793ea54d77719a071b1ccc05a05056e3b5e009 ]
We tested and found an alarm caused by nbd_ioctl arg without verification.
The UBSAN warning calltrace like below:
UBSAN: Undefined behaviour in fs/buffer.c:1709:35
signed integer overflow:
-9223372036854775808 - 1 cannot be represented in type 'long long int'
CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78
show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x170/0x1dc lib/dump_stack.c:118
ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161
handle_overflow+0x188/0x1dc lib/ubsan.c:192
__ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206
__block_write_full_page+0x94c/0xa20 fs/buffer.c:1709
block_write_full_page+0x1f0/0x280 fs/buffer.c:2934
blkdev_writepage+0x34/0x40 fs/block_dev.c:607
__writepage+0x68/0xe8 mm/page-writeback.c:2305
write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240
generic_writepages+0xdc/0x148 mm/page-writeback.c:2329
blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114
do_writepages+0xd4/0x250 mm/page-writeback.c:2344
The reason for triggering this warning is __block_write_full_page()
-> i_size_read(inode) - 1 overflow.
inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize.
We think it is necessary to limit the size of arg to prevent errors.
Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int.
Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine),
it will become 1 after the coercion, which will return unexpected results.
Fix it by adding checks to prevent passing in too large numbers.
Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20230206145805.2645671-1-zhongjinghua@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index ade8b839e4458..394355f12d4e0 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -326,6 +326,9 @@ static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
if (blksize < 512 || blksize > PAGE_SIZE || !is_power_of_2(blksize))
return -EINVAL;
+ if (bytesize < 0)
+ return -EINVAL;
+
nbd->config->bytesize = bytesize;
nbd->config->blksize_bits = __ffs(blksize);
@@ -1048,6 +1051,9 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
struct nbd_sock *nsock;
int err;
+ /* Arg will be cast to int, check it to avoid overflow */
+ if (arg > INT_MAX)
+ return -EINVAL;
sock = nbd_get_socket(nbd, arg, &err);
if (!sock)
return err;
--
2.39.2
next prev parent reply other threads:[~2023-05-04 19:58 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:47 [PATCH AUTOSEL 5.15 01/30] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:47 ` [PATCH AUTOSEL 5.15 02/30] bpf: Annotate data races in bpf_local_storage Sasha Levin
2023-05-04 19:47 ` [PATCH AUTOSEL 5.15 03/30] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:47 ` [PATCH AUTOSEL 5.15 04/30] ext2: Check block size validity during mount Sasha Levin
2023-05-04 19:47 ` [PATCH AUTOSEL 5.15 05/30] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Sasha Levin
2023-05-04 19:47 ` [PATCH AUTOSEL 5.15 06/30] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 07/30] bnxt: avoid overflow in bnxt_get_nvram_directory() Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 08/30] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 09/30] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 10/30] scsi: target: iscsit: Free cmds before session free Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 11/30] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 12/30] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 13/30] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 14/30] scsi: ufs: ufs-pci: Add support for Intel Lunar Lake Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 15/30] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 16/30] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 17/30] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 18/30] f2fs: fix to check readonly condition correctly Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 19/30] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 20/30] bpf: Add preempt_count_{sub,add} into btf id deny list Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 21/30] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 22/30] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 23/30] null_blk: Always check queue mode setting from configfs Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 24/30] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 25/30] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:48 ` Sasha Levin [this message]
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 27/30] ipvs: Update width of source for ip_vs_sync_conn_options Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 28/30] Bluetooth: btintel: Add LE States quirk support Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 29/30] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Sasha Levin
2023-05-04 19:48 ` [PATCH AUTOSEL 5.15 30/30] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504194824.3808028-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=stable@vger.kernel.org \
--cc=yukuai3@huawei.com \
--cc=zhongjinghua@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox