The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH] drbd: reject oversized DataReply before signed conversion
@ 2026-06-30 10:59 Tianchu Chen
  0 siblings, 0 replies; only message in thread
From: Tianchu Chen @ 2026-06-30 10:59 UTC (permalink / raw)
  To: philipp.reisner, lars.ellenberg, christoph.boehmwalder
  Cc: drbd-dev, linux-block, linux-kernel, axboe

From: Tianchu Chen <flynnnchen@tencent.com>

Discovered by Atuin - Automated Vulnerability Discovery Engine.

Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
signed size argument so a bogus remote peer cannot wrap the length negative
and turn it into a huge heap OOB-write.

Fixes: b411b3637fa7 ("The DRBD driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
---
 drivers/block/drbd/drbd_receiver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 58b95bf4b..5bd3df483 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -24,6 +24,7 @@
 #include <linux/memcontrol.h>
 #include <linux/mm_inline.h>
 #include <linux/slab.h>
+#include <linux/limits.h>
 #include <uapi/linux/sched/types.h>
 #include <linux/sched/signal.h>
 #include <linux/pkt_sched.h>
@@ -1947,6 +1948,9 @@ static int receive_DataReply(struct drbd_connection *connection, struct packet_i
 	if (unlikely(!req))
 		return -EIO;
 
+	if (pi->size > INT_MAX)
+		return -EINVAL;
+
 	err = recv_dless_read(peer_device, req, sector, pi->size);
 	if (!err)
 		req_mod(req, DATA_RECEIVED, peer_device);
-- 
2.51.0

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-30 10:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 10:59 [PATCH] drbd: reject oversized DataReply before signed conversion Tianchu Chen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox