Commit ee9b142838a989550587a27fb3bb8ebbe8ab6fba
Committed by
Greg Kroah-Hartman
1 parent
5986bc8088
genhd: check for int overflow in disk_expand_part_tbl()
commit 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 upstream. We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition() with a user passed in partno value. If we pass in 0x7fffffff, the new target in disk_expand_part_tbl() overflows the 'int' and we access beyond the end of ptbl->part[] and even write to it when we do the rcu_assign_pointer() to assign the new partition. Reported-by: David Ramos <daramos@stanford.edu> Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 9 additions and 2 deletions Side-by-side Diff
block/genhd.c
... | ... | @@ -1070,9 +1070,16 @@ |
1070 | 1070 | struct disk_part_tbl *old_ptbl = disk->part_tbl; |
1071 | 1071 | struct disk_part_tbl *new_ptbl; |
1072 | 1072 | int len = old_ptbl ? old_ptbl->len : 0; |
1073 | - int target = partno + 1; | |
1073 | + int i, target; | |
1074 | 1074 | size_t size; |
1075 | - int i; | |
1075 | + | |
1076 | + /* | |
1077 | + * check for int overflow, since we can get here from blkpg_ioctl() | |
1078 | + * with a user passed 'partno'. | |
1079 | + */ | |
1080 | + target = partno + 1; | |
1081 | + if (target < 0) | |
1082 | + return -EINVAL; | |
1076 | 1083 | |
1077 | 1084 | /* disk_max_parts() is zero during initialization, ignore if so */ |
1078 | 1085 | if (disk_max_parts(disk) && target > disk_max_parts(disk)) |