* [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1
@ 2024-02-20 23:23 He Gao
2024-02-20 23:23 ` [PATCH 6.1] dm: limit the number of targets and parameter size area He Gao
2024-02-21 8:50 ` [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 Greg KH
0 siblings, 2 replies; 4+ messages in thread
From: He Gao @ 2024-02-20 23:23 UTC (permalink / raw
To: stable; +Cc: He Gao
This is the fix of CVE-2024-23851 for kernel v6.1.
Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404341a4
Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument
is not affected by the patch.
He Gao (1):
dm: limit the number of targets and parameter size area
drivers/md/dm-core.h | 2 ++
drivers/md/dm-ioctl.c | 3 ++-
drivers/md/dm-table.c | 9 +++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 6.1] dm: limit the number of targets and parameter size area
2024-02-20 23:23 [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 He Gao
@ 2024-02-20 23:23 ` He Gao
2024-02-21 8:50 ` [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 Greg KH
1 sibling, 0 replies; 4+ messages in thread
From: He Gao @ 2024-02-20 23:23 UTC (permalink / raw
To: stable; +Cc: He Gao, Mikulas Patocka, Mike Snitzer
[ Upstream commit bd504bcfec41a503b32054da5472904b404341a4 ]
The kvmalloc function fails with a warning if the size is larger than
INT_MAX. The warning was triggered by a syscall testing robot.
In order to avoid the warning, this commit limits the number of targets to
1048576 and the size of the parameter area to 1073741824.
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: He Gao <hegao@google.com>
---
drivers/md/dm-core.h | 2 ++
drivers/md/dm-ioctl.c | 3 ++-
drivers/md/dm-table.c | 9 +++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h
index 71dcd8fd4050..6314210d3697 100644
--- a/drivers/md/dm-core.h
+++ b/drivers/md/dm-core.h
@@ -21,6 +21,8 @@
#include "dm-ima.h"
#define DM_RESERVED_MAX_IOS 1024
+#define DM_MAX_TARGETS 1048576
+#define DM_MAX_TARGET_PARAMS 1024
struct dm_io;
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 206e6ce554dc..4376754816ab 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1877,7 +1877,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
minimum_data_size - sizeof(param_kernel->version)))
return -EFAULT;
- if (param_kernel->data_size < minimum_data_size) {
+ if (unlikely(param_kernel->data_size < minimum_data_size) ||
+ unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) {
DMERR("Invalid data size in the ioctl structure: %u",
param_kernel->data_size);
return -EINVAL;
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index dac6a5f25f2b..e0367a672eab 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -128,7 +128,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num)
int dm_table_create(struct dm_table **result, fmode_t mode,
unsigned int num_targets, struct mapped_device *md)
{
- struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
+ struct dm_table *t;
+
+ if (num_targets > DM_MAX_TARGETS)
+ return -EOVERFLOW;
+
+ t = kzalloc(sizeof(*t), GFP_KERNEL);
if (!t)
return -ENOMEM;
@@ -143,7 +148,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
if (!num_targets) {
kfree(t);
- return -ENOMEM;
+ return -EOVERFLOW;
}
if (alloc_targets(t, num_targets)) {
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1
2024-02-20 23:23 [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 He Gao
2024-02-20 23:23 ` [PATCH 6.1] dm: limit the number of targets and parameter size area He Gao
@ 2024-02-21 8:50 ` Greg KH
[not found] ` <CAGVOQjFLBCGh5zRTZcmiyNNtgnMn8MBeAFqY1FNm_rtT3Pp7gg@mail.gmail.com>
1 sibling, 1 reply; 4+ messages in thread
From: Greg KH @ 2024-02-21 8:50 UTC (permalink / raw
To: He Gao; +Cc: stable
On Tue, Feb 20, 2024 at 11:23:38PM +0000, He Gao wrote:
> This is the fix of CVE-2024-23851 for kernel v6.1.
>
> Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404341a4
>
> Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument
> is not affected by the patch.
What needed to be changed? The original applied just fine.
And what about 6.6.y and 6.7.y?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1
[not found] ` <CAGVOQjFLBCGh5zRTZcmiyNNtgnMn8MBeAFqY1FNm_rtT3Pp7gg@mail.gmail.com>
@ 2024-02-22 5:58 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2024-02-22 5:58 UTC (permalink / raw
To: He Gao; +Cc: stable
On Wed, Feb 21, 2024 at 10:52:41AM -0800, He Gao wrote:
> I used "git apply" and it required the change. But "patch" can work
> directly so yes the original patch works fine.
>
> In that case, I believe the original patch will also work for 6.6 and 6.7.
Great, all done, thanks!
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-22 5:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-20 23:23 [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 He Gao
2024-02-20 23:23 ` [PATCH 6.1] dm: limit the number of targets and parameter size area He Gao
2024-02-21 8:50 ` [PATCH 6.1] Backport the fix for CVE-2024-23851 to v6.1 Greg KH
[not found] ` <CAGVOQjFLBCGh5zRTZcmiyNNtgnMn8MBeAFqY1FNm_rtT3Pp7gg@mail.gmail.com>
2024-02-22 5:58 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.