lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251208112552.147756-1-me@linux.beauty>
Date: Mon,  8 Dec 2025 19:25:51 +0800
From: Li Chen <me@...ux.beauty>
To: dm-devel@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Dongsheng Yang <dongsheng.yang@...ux.dev>,
	Zheng Gu <cengku@...il.com>
Cc: Li Chen <me@...ux.beauty>
Subject: [PATCH] dm pcache: reject mappings larger than backing

Reject pcache targets whose logical size exceeds the backing device.
Prevent oversized tables from issuing IO past the end of the backing,
which may corrupt memory and cause kernel crash.

Signed-off-by: Li Chen <me@...ux.beauty>
---
 drivers/md/dm-pcache/dm_pcache.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/md/dm-pcache/dm_pcache.c b/drivers/md/dm-pcache/dm_pcache.c
index e5f5936fa6f0..f72d1ba4b740 100644
--- a/drivers/md/dm-pcache/dm_pcache.c
+++ b/drivers/md/dm-pcache/dm_pcache.c
@@ -199,6 +199,8 @@ static int parse_cache_opts(struct dm_pcache *pcache, struct dm_arg_set *as,
 static int pcache_start(struct dm_pcache *pcache, char **error)
 {
 	int ret;
+	struct dm_target *ti = pcache->ti;
+	struct pcache_backing_dev *backing_dev;
 
 	ret = cache_dev_start(pcache);
 	if (ret) {
@@ -212,6 +214,19 @@ static int pcache_start(struct dm_pcache *pcache, char **error)
 		goto stop_cache;
 	}
 
+	/* Sanity-check: logical size must not exceed backing device size */
+	backing_dev = &pcache->backing_dev;
+	if (ti->len > backing_dev->dev_size) {
+		pcache_dev_err(
+			pcache,
+			"backing device too small: logical=%llu sectors, backing=%llu sectors",
+			(unsigned long long)ti->len,
+			(unsigned long long)backing_dev->dev_size);
+		*error = "Requested mapping exceeds backing device size";
+		ret = -EINVAL;
+		goto stop_backing;
+	}
+
 	ret = pcache_cache_start(pcache);
 	if (ret) {
 		*error = "Failed to start pcache";
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ