[PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1

[PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1

[He Gao]

This is the fix of CVE-2024-23851 for kernel v6.1.

Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404341a4

Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument
is not affected by the patch.

He Gao (1):
  dm: limit the number of targets and parameter size area

 drivers/md/dm-core.h  | 2 ++
 drivers/md/dm-ioctl.c | 3 ++-
 drivers/md/dm-table.c | 9 +++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

-- 
2.44.0.rc0.258.g7320e95886-goog

[PATCH 6.1] dm: limit the number of targets and parameter size area

[He Gao]

[ Upstream commit bd504bcfec41a503b32054da5472904b404341a4 ]

The kvmalloc function fails with a warning if the size is larger than
INT_MAX. The warning was triggered by a syscall testing robot.

In order to avoid the warning, this commit limits the number of targets to
1048576 and the size of the parameter area to 1073741824.

Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: He Gao <hegao@google.com>
---
 drivers/md/dm-core.h  | 2 ++
 drivers/md/dm-ioctl.c | 3 ++-
 drivers/md/dm-table.c | 9 +++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h
index 71dcd8fd4050..6314210d3697 100644
--- a/drivers/md/dm-core.h
+++ b/drivers/md/dm-core.h
@@ -21,6 +21,8 @@
 #include "dm-ima.h"
 
 #define DM_RESERVED_MAX_IOS		1024
+#define DM_MAX_TARGETS			1048576
+#define DM_MAX_TARGET_PARAMS		1024
 
 struct dm_io;
 
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 206e6ce554dc..4376754816ab 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1877,7 +1877,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
 			   minimum_data_size - sizeof(param_kernel->version)))
 		return -EFAULT;
 
-	if (param_kernel->data_size < minimum_data_size) {
+	if (unlikely(param_kernel->data_size < minimum_data_size) ||
+	    unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) {
 		DMERR("Invalid data size in the ioctl structure: %u",
 		      param_kernel->data_size);
 		return -EINVAL;
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index dac6a5f25f2b..e0367a672eab 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -128,7 +128,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num)
 int dm_table_create(struct dm_table **result, fmode_t mode,
 		    unsigned int num_targets, struct mapped_device *md)
 {
-	struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
+	struct dm_table *t;
+
+	if (num_targets > DM_MAX_TARGETS)
+		return -EOVERFLOW;
+
+	t = kzalloc(sizeof(*t), GFP_KERNEL);
 
 	if (!t)
 		return -ENOMEM;
@@ -143,7 +148,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
 
 	if (!num_targets) {
 		kfree(t);
-		return -ENOMEM;
+		return -EOVERFLOW;
 	}
 
 	if (alloc_targets(t, num_targets)) {
-- 
2.44.0.rc0.258.g7320e95886-goog

Re: [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1

[Greg KH]

On Tue, Feb 20, 2024 at 11:23:38PM +0000, He Gao wrote:
> This is the fix of CVE-2024-23851 for kernel v6.1.
> 
> Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404341a4
> 
> Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument
> is not affected by the patch.

What needed to be changed?  The original applied just fine.

And what about 6.6.y and 6.7.y?

thanks,

greg k-h

Re: [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1

[Greg KH]

On Wed, Feb 21, 2024 at 10:52:41AM -0800, He Gao wrote:
> I used "git apply" and it required the change. But "patch" can work
> directly so yes the original patch works fine.
> 
> In that case, I believe the original patch will also work for 6.6 and 6.7.

Great, all done, thanks!

greg k-h