| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4f9e579e-1604-4bd4-f988-cb038e3ebdc3@huawei.com>
Date: Thu, 31 Mar 2022 08:45:27 +0800
From: "zhangwensheng (E)" <zhangwensheng5@...wei.com>
To: <josef@...icpanda.com>, <axboe@...nel.dk>
CC: <linux-block@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<nbd@...er.debian.org>, <yukuai3@...wei.com>
Subject: Re: [PATCH -next] nbd: fix possible overflow on 'first_minor' in
nbd_dev_add()
friendly ping...
在 2022/3/17 21:05, zhangwensheng (E) 写道:
> friendly ping...
>
> 在 2022/3/11 10:43, zhangwensheng (E) 写道:
>> friendly ping...
>>
>> 在 2022/3/10 17:32, Zhang Wensheng 写道:
>>> When 'index' is a big numbers, it may become negative which forced
>>> to 'int'. then 'index << part_shift' might overflow to a positive
>>> value that is not greater than '0xfffff', then sysfs might complains
>>> about duplicate creation. Because of this, move the 'index' judgment
>>> to the front will fix it and be better.
>>>
>>> Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
>>> Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor'
>>> in nbd_dev_add()")
>>> Signed-off-by: Zhang Wensheng <zhangwensheng5@...wei.com>
>>> ---
>>> drivers/block/nbd.c | 24 ++++++++++++------------
>>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>>
>>> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
>>> index 5a1f98494ddd..b3cdfc0ffb98 100644
>>> --- a/drivers/block/nbd.c
>>> +++ b/drivers/block/nbd.c
>>> @@ -1800,17 +1800,6 @@ static struct nbd_device *nbd_dev_add(int
>>> index, unsigned int refs)
>>> refcount_set(&nbd->refs, 0);
>>> INIT_LIST_HEAD(&nbd->list);
>>> disk->major = NBD_MAJOR;
>>> -
>>> - /* Too big first_minor can cause duplicate creation of
>>> - * sysfs files/links, since index << part_shift might overflow, or
>>> - * MKDEV() expect that the max bits of first_minor is 20.
>>> - */
>>> - disk->first_minor = index << part_shift;
>>> - if (disk->first_minor < index || disk->first_minor > MINORMASK) {
>>> - err = -EINVAL;
>>> - goto out_free_work;
>>> - }
>>> -
>>> disk->minors = 1 << part_shift;
>>> disk->fops = &nbd_fops;
>>> disk->private_data = nbd;
>>> @@ -1915,8 +1904,19 @@ static int nbd_genl_connect(struct sk_buff
>>> *skb, struct genl_info *info)
>>> if (!netlink_capable(skb, CAP_SYS_ADMIN))
>>> return -EPERM;
>>> - if (info->attrs[NBD_ATTR_INDEX])
>>> + if (info->attrs[NBD_ATTR_INDEX]) {
>>> index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
>>> +
>>> + /*
>>> + * Too big first_minor can cause duplicate creation of
>>> + * sysfs files/links, since index << part_shift might
>>> overflow, or
>>> + * MKDEV() expect that the max bits of first_minor is 20.
>>> + */
>>> + if (index < 0 || index > MINORMASK >> part_shift) {
>>> + printk(KERN_ERR "nbd: illegal input index %d\n", index);
>>> + return -EINVAL;
>>> + }
>>> + }
>>> if (!info->attrs[NBD_ATTR_SOCKETS]) {
>>> printk(KERN_ERR "nbd: must specify at least one socket\n");
>>> return -EINVAL;
>> .
> .
Powered by blists - more mailing lists