From patchwork Thu Apr 16 13:24:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 227789 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0CC8C2BB55 for ; Thu, 16 Apr 2020 13:59:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A112821744 for ; Thu, 16 Apr 2020 13:59:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587045557; bh=rYEbbTZpOvYM3lyWTrWeTlys/rHzSaPGXH+mvSyaYi8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Lu/O8X9GyC+fWFr5NGpLPYRYXTp/hkwl8TrZ+baA2a8q/KA7eAfZiwOftKbPUeZ4h tJvAt9VJz52DGhwC55X6gVRQXspUSCEG5JHR7mD+RsvDLrCTAP3HzbPMgPXt4IPC+o SM6NDWaemAWLvVR1dnOAePoYKOhSRPDea7BMn4uY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2894554AbgDPN7N (ORCPT ); Thu, 16 Apr 2020 09:59:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:46182 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2896536AbgDPN7L (ORCPT ); Thu, 16 Apr 2020 09:59:11 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1413620786; Thu, 16 Apr 2020 13:59:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587045549; bh=rYEbbTZpOvYM3lyWTrWeTlys/rHzSaPGXH+mvSyaYi8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m3R0d+arDaos+hxHP9gOrk4SPYIy0P3fJNi54ihAJbV6qyVy84y+E+c5LAO9axHMg kDY5dlB9ku9YP4WOSg1DLX02FkxYBAMe8gtisQACc3FzTNSmDfkk7ZV7F6BYz7ScgQ ZwzidtnRGEn2hnB7lwlHOeN3tv1DvXqqqstLNh8Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikos Tsironis , Mike Snitzer Subject: [PATCH 5.6 178/254] dm clone: Add overflow check for number of regions Date: Thu, 16 Apr 2020 15:24:27 +0200 Message-Id: <20200416131348.632831307@linuxfoundation.org> X-Mailer: git-send-email 2.26.1 In-Reply-To: <20200416131325.804095985@linuxfoundation.org> References: <20200416131325.804095985@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikos Tsironis commit cd481c12269b4d276f1a52eda0ebd419079bfe3a upstream. Add overflow check for clone->nr_regions variable, which holds the number of regions of the target. The overflow can occur with sufficiently large devices, if BITS_PER_LONG == 32. E.g., if the region size is 8 sectors (4K), the overflow would occur for device sizes > 34359738360 sectors (~16TB). This could result in multiple device sectors wrongly mapping to the same region number, due to the truncation from 64 bits to 32 bits, which would lead to data corruption. Fixes: 7431b7835f55 ("dm: add clone target") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-clone-target.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/md/dm-clone-target.c +++ b/drivers/md/dm-clone-target.c @@ -1790,6 +1790,7 @@ error: static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv) { int r; + sector_t nr_regions; struct clone *clone; struct dm_arg_set as; @@ -1831,7 +1832,16 @@ static int clone_ctr(struct dm_target *t goto out_with_source_dev; clone->region_shift = __ffs(clone->region_size); - clone->nr_regions = dm_sector_div_up(ti->len, clone->region_size); + nr_regions = dm_sector_div_up(ti->len, clone->region_size); + + /* Check for overflow */ + if (nr_regions != (unsigned long)nr_regions) { + ti->error = "Too many regions. Consider increasing the region size"; + r = -EOVERFLOW; + goto out_with_source_dev; + } + + clone->nr_regions = nr_regions; r = validate_nr_regions(clone->nr_regions, &ti->error); if (r)