lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAPhsuW5vRg1EQgiJeV4p4ALsQNL36vJrSrT6ESCkYUuDJmhodA@mail.gmail.com>
Date:   Mon, 11 Sep 2023 14:43:44 -0700
From:   Song Liu <song@...nel.org>
To:     Pavel Machek <pavel@...x.de>
Cc:     Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, Zhang Shurong <zhang_shurong@...mail.com>,
        Yu Kuai <yukuai3@...wei.com>, linux-raid@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 4.14 2/3] md: raid1: fix potential OOB in raid1_remove_disk()

On Mon, Sep 11, 2023 at 2:49 AM Pavel Machek <pavel@...x.de> wrote:
>
> Hi!
>
> > From: Zhang Shurong <zhang_shurong@...mail.com>
> >
> > [ Upstream commit 8b0472b50bcf0f19a5119b00a53b63579c8e1e4d ]
> >
> > If rddev->raid_disk is greater than mddev->raid_disks, there will be
> > an out-of-bounds in raid1_remove_disk(). We have already found
> > similar reports as follows:
> >
> > 1) commit d17f744e883b ("md-raid10: fix KASAN warning")
> > 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
> >
> > Fix this bug by checking whether the "number" variable is
> > valid.
>
> > +++ b/drivers/md/raid1.c
> > @@ -1775,6 +1775,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
> >       struct r1conf *conf = mddev->private;
> >       int err = 0;
> >       int number = rdev->raid_disk;
> > +
> > +     if (unlikely(number >= conf->raid_disks))
> > +             goto abort;
> > +
> >       struct raid1_info *p = conf->mirrors + number;
> >
> >       if (rdev != p->rdev)
>
> Wow. Mixing declarations and code. I'm pretty sure that's not ok
> according to our coding style, and I'd be actually surprised if all
> our compiler configurations allowed this.
>

We have a fix queued for this:

https://git.kernel.org/pub/scm/linux/kernel/git/song/md.git/commit/?h=md-fixes&id=df203da47f4428bc286fc99318936416253a321c

Thanks,
Song

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ