| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_E2C71605D88087940237AA9A44CC8D436D06@qq.com>
Date: Thu, 13 Jul 2023 00:46:05 +0800
From: Zhang Shurong <zhang_shurong@...mail.com>
To: song@...nel.org
Cc: linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org,
Zhang Shurong <zhang_shurong@...mail.com>
Subject: [PATCH] md: fix potential OOB in multipath_remove_disk()
If rddev->raid_disk is greater than mddev->raid_disks, there will be
an out-of-bounds in multipath_remove_disk. We have already found
similar reports as follows:
1) commit d17f744e883b ("md-raid10: fix KASAN warning")
2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
Fix this bug by checking whether the "number" variable is
valid.
Signed-off-by: Zhang Shurong <zhang_shurong@...mail.com>
---
drivers/md/md-multipath.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/md/md-multipath.c b/drivers/md/md-multipath.c
index 92c45be203d7..7b6aadd8c1fb 100644
--- a/drivers/md/md-multipath.c
+++ b/drivers/md/md-multipath.c
@@ -245,7 +245,11 @@ static int multipath_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
struct mpconf *conf = mddev->private;
int err = 0;
int number = rdev->raid_disk;
- struct multipath_info *p = conf->multipaths + number;
+ struct multipath_info *p;
+
+ if (unlikely(number >= mddev->raid_disks))
+ return 0;
+ p = conf->multipaths + number;
print_multipath_conf(conf);
--
2.30.2
Powered by blists - more mailing lists