* [PATCH] drbd: reject oversized DataReply before signed conversion
@ 2026-06-30 10:59 Tianchu Chen
0 siblings, 0 replies; only message in thread
From: Tianchu Chen @ 2026-06-30 10:59 UTC (permalink / raw)
To: philipp.reisner, lars.ellenberg, christoph.boehmwalder
Cc: drbd-dev, linux-block, linux-kernel, axboe
From: Tianchu Chen <flynnnchen@tencent.com>
Discovered by Atuin - Automated Vulnerability Discovery Engine.
Reject DataReply payload lengths that cannot fit in recv_dless_read()'s
signed size argument so a bogus remote peer cannot wrap the length negative
and turn it into a huge heap OOB-write.
Fixes: b411b3637fa7 ("The DRBD driver")
Cc: stable@vger.kernel.org
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
---
drivers/block/drbd/drbd_receiver.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 58b95bf4b..5bd3df483 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -24,6 +24,7 @@
#include <linux/memcontrol.h>
#include <linux/mm_inline.h>
#include <linux/slab.h>
+#include <linux/limits.h>
#include <uapi/linux/sched/types.h>
#include <linux/sched/signal.h>
#include <linux/pkt_sched.h>
@@ -1947,6 +1948,9 @@ static int receive_DataReply(struct drbd_connection *connection, struct packet_i
if (unlikely(!req))
return -EIO;
+ if (pi->size > INT_MAX)
+ return -EINVAL;
+
err = recv_dless_read(peer_device, req, sector, pi->size);
if (!err)
req_mod(req, DATA_RECEIVED, peer_device);
--
2.51.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-30 10:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 10:59 [PATCH] drbd: reject oversized DataReply before signed conversion Tianchu Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox