[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f9f3b82e-dd37-eff8-3718-1b71746e8c01@redhat.com>
Date: Tue, 6 May 2025 14:28:13 +0200 (CEST)
From: Mikulas Patocka <mpatocka@...hat.com>
To: Tudor Ambarus <tudor.ambarus@...aro.org>
cc: Alasdair Kergon <agk@...hat.com>, Mike Snitzer <snitzer@...nel.org>,
Benjamin Marzinski <bmarzins@...hat.com>, dm-devel@...ts.linux.dev,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] dm: fix copying after src array boundaries
On Tue, 6 May 2025, Tudor Ambarus wrote:
> The blammed commit copied to argv the size of the reallocated argv,
> instead of the size of the old_argv, thus reading and copying from
> past the old_argv allocated memory.
>
> Following BUG_ON was hit:
> [ 3.038929][ T1] kernel BUG at lib/string_helpers.c:1040!
> [ 3.039147][ T1] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
> ...
> [ 3.056489][ T1] Call trace:
> [ 3.056591][ T1] __fortify_panic+0x10/0x18 (P)
> [ 3.056773][ T1] dm_split_args+0x20c/0x210
> [ 3.056942][ T1] dm_table_add_target+0x13c/0x360
> [ 3.057132][ T1] table_load+0x110/0x3ac
> [ 3.057292][ T1] dm_ctl_ioctl+0x424/0x56c
> [ 3.057457][ T1] __arm64_sys_ioctl+0xa8/0xec
> [ 3.057634][ T1] invoke_syscall+0x58/0x10c
> [ 3.057804][ T1] el0_svc_common+0xa8/0xdc
> [ 3.057970][ T1] do_el0_svc+0x1c/0x28
> [ 3.058123][ T1] el0_svc+0x50/0xac
> [ 3.058266][ T1] el0t_64_sync_handler+0x60/0xc4
> [ 3.058452][ T1] el0t_64_sync+0x1b0/0x1b4
> [ 3.058620][ T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000)
> [ 3.058897][ T1] ---[ end trace 0000000000000000 ]---
> [ 3.059083][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
>
> Fix it by copying the size of src, and not the size of dst, as it was.
>
> Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success")
> Cc: stable@...r.kernel.org
> Signed-off-by: Tudor Ambarus <tudor.ambarus@...aro.org>
> ---
> drivers/md/dm-table.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
> index 9e175c5e0634b49b990436898f63c2b1e696febb..6dae73ee49dbb36d89341ff09556876d0973c4ff 100644
> --- a/drivers/md/dm-table.c
> +++ b/drivers/md/dm-table.c
> @@ -524,9 +524,9 @@ static char **realloc_argv(unsigned int *size, char **old_argv)
> }
> argv = kmalloc_array(new_size, sizeof(*argv), gfp);
> if (argv) {
> - *size = new_size;
> if (old_argv)
> memcpy(argv, old_argv, *size * sizeof(*argv));
> + *size = new_size;
> }
>
> kfree(old_argv);
>
> ---
> base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb
> change-id: 20250506-dm-past-array-boundaries-1fe2f5a1030f
>
> Best regards,
> --
> Tudor Ambarus <tudor.ambarus@...aro.org>
Thanks
I sent a pull request to Linus that includes this patch.
Mikulas
Powered by blists - more mailing lists