Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1261408ybl; Fri, 23 Aug 2019 16:25:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqxx/bOKSyoTF1312wqxT3KpuUzt3xyJYnEtfeiZK7ImEyM2130RBWS8q7tAw6JfXy3Rtmjx X-Received: by 2002:aa7:934f:: with SMTP id 15mr7947168pfn.22.1566602759746; Fri, 23 Aug 2019 16:25:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566602759; cv=none; d=google.com; s=arc-20160816; b=kKNK/DU0ZpDrI1vnep+iQisGMTjANyiXZsh4q/VUCsAbwnkxSwIkA1Ua84eAPr6c1L URbTXq89FaEkEksR8Hif74Eodo1qVjxh+wTXdpC/oxcHVTYDdnIvtMZNCFAGdqCNom41 5TZqdJYvebTkAy4/VaenBCuBTexOA8KhE9Bp4NX4DwB/W8gRpRuvh2fXEsVCf5ynXElc 3HigQJF2o/V9g+J4VGp63F+2nV8ka/Q3m3KL7cENoQC+V+bSQ0okpHz3DRcXwyZhxOkb gACNoSf+sIHETKT+2hcuBmMgU1QH2cJJRLAmY4r5ybw/K6MCfzoygFqjne9Uj9ilFn0z DhHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=Lx9MpUgdTG/wDyVqCfc/7u0/4YUZ+ClxGf8GO9gxt7I=; b=Cr5YLpKbHOUI8e0UvBvFjkFd8d54cdWJZciy5Lo+wR5UY6YX09QlThtbEzpFXzh3wm lVRszda2OoRRWjgurZTZ8dDbiVjKBCQUYwt38dnJWjEKjK5I8ybouClww/EaZycZLRUp DY0F4g+mAPd39RZqmcxlzKHvGkmcc2z/nP8jZ+5yZGN60o8UJEx/2bk/WPWtl9S/LNeD 3HlqMWwRsatfhcPRcMIzp2us1Ole1cGYQDWM5QFEFkOle8DcdtbImVg1h1zFCqI1nNH/ Ij2StRHGxk6lhY93wV21rRUy1+CR7b7kDLzZKkeHG/gradjB5N7yGU6lkl7RIm3G2OVy zRDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16si3337074pjn.71.2019.08.23.16.25.44; Fri, 23 Aug 2019 16:25:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392794AbfHWNyT (ORCPT + 99 others); Fri, 23 Aug 2019 09:54:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44698 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390206AbfHWNyT (ORCPT ); Fri, 23 Aug 2019 09:54:19 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C0FE130832DC; Fri, 23 Aug 2019 13:54:18 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (file01.intranet.prod.int.rdu2.redhat.com [10.11.5.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AD5345D9E5; Fri, 23 Aug 2019 13:54:09 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (localhost [127.0.0.1]) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id x7NDs9uc002084; Fri, 23 Aug 2019 09:54:09 -0400 Received: from localhost (mpatocka@localhost) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4/Submit) with ESMTP id x7NDs9i4002081; Fri, 23 Aug 2019 09:54:09 -0400 X-Authentication-Warning: file01.intranet.prod.int.rdu2.redhat.com: mpatocka owned process doing -bs Date: Fri, 23 Aug 2019 09:54:09 -0400 (EDT) From: Mikulas Patocka X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com To: Zhang Tao cc: agk@redhat.com, snitzer@redhat.com, Zhang Tao , dm-devel@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] dm table: fix invalid memory accesses with too high sector number In-Reply-To: Message-ID: References: <1566351211-13280-1-git-send-email-kontais@zoho.com> User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 23 Aug 2019 13:54:18 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If the sector number is too high, dm_table_find_target should return a pointer to a zeroed dm_target structure (the caller should test it with dm_target_is_valid). However, for some table sizes, the code in dm_table_find_target that performs btree lookup will access out of bound memory structures. This patch fixes the bug by testing the sector number at the beginning of dm_table_find_target. We add an "inline" keyword to the function dm_table_get_size because this is hot path. Signed-off-by: Mikulas Patocka Reported-by: Zhang Tao Fixes: 512875bd9661 ("dm: table detect io beyond device") Cc: stable@vger.kernel.org --- drivers/md/dm-table.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Index: linux-2.6/drivers/md/dm-table.c =================================================================== --- linux-2.6.orig/drivers/md/dm-table.c 2019-08-23 13:40:51.000000000 +0200 +++ linux-2.6/drivers/md/dm-table.c 2019-08-23 15:43:19.000000000 +0200 @@ -1342,7 +1342,7 @@ void dm_table_event(struct dm_table *t) } EXPORT_SYMBOL(dm_table_event); -sector_t dm_table_get_size(struct dm_table *t) +inline sector_t dm_table_get_size(struct dm_table *t) { return t->num_targets ? (t->highs[t->num_targets - 1] + 1) : 0; } @@ -1367,6 +1367,9 @@ struct dm_target *dm_table_find_target(s unsigned int l, n = 0, k = 0; sector_t *node; + if (unlikely(sector >= dm_table_get_size(t))) + return &t->targets[t->num_targets]; + for (l = 0; l < t->depth; l++) { n = get_child(n, k); node = get_node(t, l, n);