genhd: check for int overflow in disk_expand_part_tbl()

commit 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 upstream. We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition() with a user passed in partno value. If we pass in 0x7fffffff, the new target in disk_expand_part_tbl() overflows the 'int' and we access beyond the end of ptbl->part[] and even write to it when we do the rcu_assign_pointer() to assign the new partition. Reported-by: David Ramos <daramos@stanford.edu> Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

genhd: check for int overflow in disk_expand_part_tbl()
commit 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 upstream. We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition() with a user passed in partno value. If we pass in 0x7fffffff, the new target in disk_expand_part_tbl() overflows the 'int' and we access beyond the end of ptbl->part[] and even write to it when we do the rcu_assign_pointer() to assign the new partition. Reported-by: David Ramos <daramos@stanford.edu> Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jens Axboe · Greg Kroah-Hartman
1 parent 5986bc8088
Showing 1 changed file with 9 additions and 2 deletions Side-by-side Diff
block/genhd.c
@@ -1070,9 +1070,16 @@
 	struct disk_part_tbl *old_ptbl = disk->part_tbl;
 	struct disk_part_tbl *new_ptbl;
 	int len = old_ptbl ? old_ptbl->len : 0;
-	int target = partno + 1;
+	int i, target;
 	size_t size;
-	int i;
+
+	/*
+	 * check for int overflow, since we can get here from blkpg_ioctl()
+	 * with a user passed 'partno'.
+	 */
+	target = partno + 1;
+	if (target < 0)
+		return -EINVAL;
  
 	/* disk_max_parts() is zero during initialization, ignore if so */
 	if (disk_max_parts(disk) && target > disk_max_parts(disk))
...	...	@@ -1070,9 +1070,16 @@
1070	1070	struct disk_part_tbl *old_ptbl = disk->part_tbl;
1071	1071	struct disk_part_tbl *new_ptbl;
1072	1072	int len = old_ptbl ? old_ptbl->len : 0;
1073		- int target = partno + 1;
	1073	+ int i, target;
1074	1074	size_t size;
1075		- int i;
	1075	+
	1076	+ /*
	1077	+ * check for int overflow, since we can get here from blkpg_ioctl()
	1078	+ * with a user passed 'partno'.
	1079	+ */
	1080	+ target = partno + 1;
	1081	+ if (target < 0)
	1082	+ return -EINVAL;
1076	1083
1077	1084	/* disk_max_parts() is zero during initialization, ignore if so */
1078	1085	if (disk_max_parts(disk) && target > disk_max_parts(disk))