* [PATCH 5.10] Backport the fix for CVE-2024-23851 to v5.10
@ 2024-02-20 23:50 He Gao
2024-02-20 23:50 ` [PATCH 5.10] dm: limit the number of targets and parameter size area He Gao
0 siblings, 1 reply; 2+ messages in thread
From: He Gao @ 2024-02-20 23:50 UTC (permalink / raw
To: stable; +Cc: He Gao
This is the fix of CVE-2024-23851 for kernel v5.10.
Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404341a4
Changed code not affected by the patch for the old version.
He Gao (1):
dm: limit the number of targets and parameter size area
drivers/md/dm-core.h | 2 ++
drivers/md/dm-ioctl.c | 3 ++-
drivers/md/dm-table.c | 9 +++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 5.10] dm: limit the number of targets and parameter size area
2024-02-20 23:50 [PATCH 5.10] Backport the fix for CVE-2024-23851 to v5.10 He Gao
@ 2024-02-20 23:50 ` He Gao
0 siblings, 0 replies; 2+ messages in thread
From: He Gao @ 2024-02-20 23:50 UTC (permalink / raw
To: stable; +Cc: He Gao, Mikulas Patocka, Mike Snitzer
[ Upstream commit bd504bcfec41a503b32054da5472904b404341a4 ]
The kvmalloc function fails with a warning if the size is larger than
INT_MAX. The warning was triggered by a syscall testing robot.
In order to avoid the warning, this commit limits the number of targets to
1048576 and the size of the parameter area to 1073741824.
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: He Gao <hegao@google.com>
---
drivers/md/dm-core.h | 2 ++
drivers/md/dm-ioctl.c | 3 ++-
drivers/md/dm-table.c | 9 +++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h
index 3db92d9a030b..ff73b2c17be5 100644
--- a/drivers/md/dm-core.h
+++ b/drivers/md/dm-core.h
@@ -19,6 +19,8 @@
#include "dm.h"
#define DM_RESERVED_MAX_IOS 1024
+#define DM_MAX_TARGETS 1048576
+#define DM_MAX_TARGET_PARAMS 1024
struct dm_kobject_holder {
struct kobject kobj;
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 5f9b9178c647..4184c8a2d497 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1760,7 +1760,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern
if (copy_from_user(param_kernel, user, minimum_data_size))
return -EFAULT;
- if (param_kernel->data_size < minimum_data_size)
+ if (unlikely(param_kernel->data_size < minimum_data_size) ||
+ unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS))
return -EINVAL;
secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG;
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 5c590895c14c..31bcdcd93c7a 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -144,7 +144,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num)
int dm_table_create(struct dm_table **result, fmode_t mode,
unsigned num_targets, struct mapped_device *md)
{
- struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
+ struct dm_table *t;
+
+ if (num_targets > DM_MAX_TARGETS)
+ return -EOVERFLOW;
+
+ t = kzalloc(sizeof(*t), GFP_KERNEL);
if (!t)
return -ENOMEM;
@@ -158,7 +163,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
if (!num_targets) {
kfree(t);
- return -ENOMEM;
+ return -EOVERFLOW;
}
if (alloc_targets(t, num_targets)) {
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-20 23:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-20 23:50 [PATCH 5.10] Backport the fix for CVE-2024-23851 to v5.10 He Gao
2024-02-20 23:50 ` [PATCH 5.10] dm: limit the number of targets and parameter size area He Gao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.