[PATCH 6.6 27/43] block: fix integer overflow in BLKSECDISCARD

Linux kernel -stable discussions
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Alexey Dobriyan <adobriyan@gmail.com>,
	Jens Axboe <axboe@kernel.dk>,
	Rajani Kantha <rajanikantha@engineer.com>
Subject: [PATCH 6.6 27/43] block: fix integer overflow in BLKSECDISCARD
Date: Thu, 30 Jan 2025 14:59:34 +0100	[thread overview]
Message-ID: <20250130133459.995930116@linuxfoundation.org> (raw)
In-Reply-To: <20250130133458.903274626@linuxfoundation.org>

6.6-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Dobriyan <adobriyan@gmail.com>

commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 upstream.

I independently rediscovered

	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
	block: fix overflow in blk_ioctl_discard()

but for secure erase.

Same problem:

	uint64_t r[2] = {512, 18446744073709551104ULL};
	ioctl(fd, BLKSECDISCARD, r);

will enter near infinite loop inside blkdev_issue_secure_erase():

	a.out: attempt to access beyond end of device
	loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
	bio_check_eod: 3286214 callbacks suppressed

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Rajani Kantha <rajanikantha@engineer.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/ioctl.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct bloc
 		return -EINVAL;
 
 	filemap_invalidate_lock(inode->i_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (err)
 		goto fail;
 	err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL);
@@ -127,7 +127,7 @@ fail:
 static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
 		void __user *argp)
 {
-	uint64_t start, len;
+	uint64_t start, len, end;
 	uint64_t range[2];
 	int err;
 
@@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct
 	len = range[1];
 	if ((start & 511) || (len & 511))
 		return -EINVAL;
-	if (start + len > bdev_nr_bytes(bdev))
+	if (check_add_overflow(start, len, &end) ||
+	    end > bdev_nr_bytes(bdev))
 		return -EINVAL;
 
 	filemap_invalidate_lock(bdev->bd_inode->i_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (!err)
 		err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9,
 						GFP_KERNEL);

next prev parent reply	other threads:[~2025-01-30 14:15 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-30 13:59 [PATCH 6.6 00/43] 6.6.75-rc1 review Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 01/43] ASoC: wm8994: Add depends on MFD core Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 02/43] ASoC: samsung: Add missing selects for MFD_WM8994 Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 03/43] seccomp: Stub for !CONFIG_SECCOMP Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 04/43] scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 05/43] drm/amd/display: Use HW lock mgr for PSR1 Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 06/43] of/unittest: Add test that of_address_to_resource() fails on non-translatable address Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 07/43] irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 08/43] hwmon: (drivetemp) Set scsi command timeout to 10s Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 09/43] ASoC: samsung: Add missing depends on I2C Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 10/43] ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 11/43] cpufreq: amd-pstate: add check for cpufreq_cpu_gets return value Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 12/43] ipv6: Fix soft lockups in fib6_select_path under high next hop churn Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 13/43] RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 14/43] gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 15/43] libfs: Re-arrange locking in offset_iterate_dir() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 16/43] libfs: Define a minimum directory offset Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 17/43] libfs: Add simple_offset_empty() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 18/43] libfs: Fix simple_offset_rename_exchange() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 19/43] libfs: Add simple_offset_rename() API Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 20/43] shmem: Fix shmem_rename2() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 21/43] libfs: Return ENOSPC when the directory offset range is exhausted Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 22/43] Revert "libfs: Add simple_offset_empty()" Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 23/43] libfs: Replace simple_offset end-of-directory detection Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 24/43] libfs: Use d_children list to iterate simple_offset directories Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 25/43] smb: client: handle lack of EA support in smb2_query_path_info() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 26/43] net: sched: fix ets qdisc OOB Indexing Greg Kroah-Hartman
2025-01-30 13:59 ` Greg Kroah-Hartman [this message]
2025-01-30 13:59 ` [PATCH 6.6 28/43] Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 29/43] cachestat: fix page cache statistics permission checking Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 30/43] vfio/platform: check the bounds of read/write syscalls Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 31/43] ext4: fix access to uninitialised lock in fc replay path Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 32/43] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 33/43] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 34/43] USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 35/43] Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 36/43] ALSA: usb-audio: Add delay quirk for USB Audio Device Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 37/43] Input: xpad - add support for Nacon Pro Compact Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 38/43] Input: atkbd - map F23 key to support default copilot shortcut Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 39/43] Input: xpad - add unofficial Xbox 360 wireless receiver clone Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 40/43] Input: xpad - add QH Electronics VID/PID Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 41/43] Input: xpad - improve name of 8BitDo controller 2dc8:3106 Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 42/43] Input: xpad - add support for Nacon Evol-X Xbox One Controller Greg Kroah-Hartman
2025-01-30 13:59 ` [PATCH 6.6 43/43] Input: xpad - add support for wooting two he (arm) Greg Kroah-Hartman
2025-01-30 17:56 ` [PATCH 6.6 00/43] 6.6.75-rc1 review Mark Brown
2025-01-30 21:44 ` Florian Fainelli
2025-01-31  5:39 ` Jon Hunter
2025-01-31 13:52 ` Ron Economos
2025-01-31 15:31 ` Naresh Kamboju
2025-01-31 16:51 ` Muhammad Usama Anjum
2025-02-01  8:16 ` [PATCH 6.6] " Hardik Garg
2025-02-01 12:52 ` [PATCH 6.6 00/43] " Peter Schneider
2025-02-02 13:30 ` Harshit Mogalapalli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250130133459.995930116@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=adobriyan@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=patches@lists.linux.dev \
    --cc=rajanikantha@engineer.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox