leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
fad7cd3310
linux/drivers/block
History
Baokun Li fad7cd3310 nbd: add the check to prevent overflow in __nbd_ioctl() 
If user specify a large enough value of NBD blocks option, it may trigger
signed integer overflow which may lead to nbd->config->bytesize becomes a
large or small value, zero in particular.

UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31
signed integer overflow:
1024 * 4611686155866341414 cannot be represented in type 'long long int'
[...]
Call trace:
[...]
 handle_overflow+0x188/0x1dc lib/ubsan.c:192
 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213
 nbd_size_set drivers/block/nbd.c:325 [inline]
 __nbd_ioctl drivers/block/nbd.c:1342 [inline]
 nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395
 __blkdev_driver_ioctl block/ioctl.c:311 [inline]
[...]

Although it is not a big deal, still silence the UBSAN by limit
the input value.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20210804021212.990223-1-libaokun1@huawei.com
[axboe: dropped unlikely()]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-13 10:09:26 -06:00
..
aoe for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
drbd for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
mtip32xx mtip32xx: use blk_mq_alloc_disk and blk_cleanup_disk 2021-06-30 15:34:04 -06:00
null_blk null_blk: remove an unused variable assignment in null_add_dev 2021-06-30 15:34:04 -06:00
paride pd: fix order of cleaning up the queue and freeing the tagset 2021-07-15 09:29:22 -06:00
rnbd block/rnbd: Use sysfs_emit instead of s*printf function for sysfs show 2021-08-02 13:37:40 -06:00
rsxx for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
xen-blkback xen-blkback: fix compatibility bug with single page rings 2021-04-23 09:34:07 +02:00
zram Merge branch 'akpm' (patches from Andrew) 2021-07-02 12:08:10 -07:00
amiflop.c amiflop: use blk_mq_alloc_disk and blk_cleanup_disk 2021-06-11 11:54:43 -06:00
ataflop.c ataflop: use blk_mq_alloc_disk and blk_cleanup_disk 2021-06-11 11:54:43 -06:00
brd.c brd: convert to blk_alloc_disk/blk_cleanup_disk 2021-06-01 07:42:23 -06:00
cryptoloop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 30 2019-05-24 17:27:10 +02:00
floppy.c for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
Kconfig swim: don't call blk_queue_bounce_limit 2021-04-06 09:29:47 -06:00
loop.c loop: raise media_change event 2021-08-02 13:37:29 -06:00
loop.h loop: charge i/o to mem and blk cg 2021-06-29 10:53:50 -07:00
Makefile drivers/block: remove the umem driver 2021-03-24 06:57:40 -06:00
n64cart.c n64cart: convert to blk_alloc_disk 2021-06-01 07:42:24 -06:00
nbd.c nbd: add the check to prevent overflow in __nbd_ioctl() 2021-08-13 10:09:26 -06:00
pktcdvd.c block: remove REQ_OP_SCSI_{IN,OUT} 2021-06-30 15:34:19 -06:00
ps3disk.c ps3disk: use memcpy_{from,to}_bvec 2021-08-02 13:37:27 -06:00
ps3vram.c ps3vram: convert to blk_alloc_disk/blk_cleanup_disk 2021-06-01 07:42:24 -06:00
rbd_types.h libceph, rbd: replace zero-length array with flexible-array 2020-06-01 13:22:53 +02:00
rbd.c rbd: use memzero_bvec 2021-08-02 13:37:27 -06:00
sunvdc.c Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
swim3.c swim3: use blk_mq_alloc_disk 2021-06-11 11:53:02 -06:00
swim_asm.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim.c swim: use blk_mq_alloc_disk 2021-06-11 11:53:03 -06:00
sx8.c for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00
virtio_blk.c virtio-blk: limit seg_max to a safe value 2021-07-03 04:50:53 -04:00
xen-blkfront.c xen-blkfront: Remove redundant assignment to variable err 2021-08-09 20:04:46 -06:00
z2ram.c for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00