Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1391196ybz; Thu, 16 Apr 2020 08:21:25 -0700 (PDT) X-Google-Smtp-Source: APiQypLGt2mUWELkZ8eQYxiEk9AgIGKKJnG1c3HDD/jk/AUN4YO3V/lGL7qBC/5RUZ7sIxtMtrj5 X-Received: by 2002:aa7:d3cb:: with SMTP id o11mr20870101edr.194.1587050484811; Thu, 16 Apr 2020 08:21:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587050484; cv=none; d=google.com; s=arc-20160816; b=THulfKYWhaXrZ4EqLHxTAKpmadTzaSdmMH4UuMP6YMenYlp/VEg1RFn1IygksaK46w Xr1y7vD1hT5eJpehm2F9Cm5zfJd+Q0emGG88oNiSQoJI6amH9Wc9dTb4B1FanPDkEcrT V44X+/kaJftsa7uBusBPgyRLlBglNrhAPcOt1up+jjCYelXZO/TC5BOaopHEPDNxMFO6 nA3RctWbpa+AaV0uq1BTb8OEg9m4jz9wZzwykXdvqJHOHVP+FDi6WhY780XNeYe8Ei3l Nn8zrjUVQXwOb27QdfqaOl29NmodPUAxNZmOaV+4ikGitz2eER0S496FcpsTlcTyMhIP hCZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RSLPwdhE4OjZrOv989j4UK3kfN09/ZMyEVPgSKu/NNo=; b=GX4ncTUk3VVkr4m4h/j8mrnzWmFKtFYvk8N3B4yJPrVag5teMBd6Z7LcXrnj7ZKDBL Vlmvrpb3TkSNC+6nLdl9p/OvKU5PvZYnIdMto7kjfRA5+BqBnGae/Gc/dikw1HX432An RsMmVGQJ0tffBpll6nYj++oIKZU9RpHFORUobA9JwWB78N95+NjfK1yvLdy2VKfrPIMI p3R1la7cK7V2aCyfjmP7f0ErJWCRGHNrpbg2FenZJHKGrGviRWywrgXTrSl3f+B8yfMQ 4J7xVqFESPysJsrYqU8krroj9vAv0tR5OQ/RMmdPf062yvUJsraseEAikjma4+IGRne4 v+xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EmwCnnCh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u19si1579424ejt.101.2020.04.16.08.20.59; Thu, 16 Apr 2020 08:21:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=EmwCnnCh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2441671AbgDPPRI (ORCPT + 99 others); Thu, 16 Apr 2020 11:17:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:35080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2898810AbgDPNtE (ORCPT ); Thu, 16 Apr 2020 09:49:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 18EB120732; Thu, 16 Apr 2020 13:49:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587044943; bh=auqJTuhnImmvDb6H+sMUIzlvMxOs3HGqAdeRAdKYAU8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EmwCnnChByk15E/xLhyDfiC/99mAvwYknOHsQ/6G8xuDSDsIlbJLmmf6xg2gAlIDA E9IBfbyVnyPskJHXmb4FEqGJjWPmYpo8heDaVM5OkvP6Qw6V/BJbaEW0Zq6SoGwRO6 n26ZUKdXnbc83W6yCXqYS1CXjHIid45ELkwSII+A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikos Tsironis , Mike Snitzer Subject: [PATCH 5.4 164/232] dm clone: Add overflow check for number of regions Date: Thu, 16 Apr 2020 15:24:18 +0200 Message-Id: <20200416131335.527671917@linuxfoundation.org> X-Mailer: git-send-email 2.26.1 In-Reply-To: <20200416131316.640996080@linuxfoundation.org> References: <20200416131316.640996080@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nikos Tsironis commit cd481c12269b4d276f1a52eda0ebd419079bfe3a upstream. Add overflow check for clone->nr_regions variable, which holds the number of regions of the target. The overflow can occur with sufficiently large devices, if BITS_PER_LONG == 32. E.g., if the region size is 8 sectors (4K), the overflow would occur for device sizes > 34359738360 sectors (~16TB). This could result in multiple device sectors wrongly mapping to the same region number, due to the truncation from 64 bits to 32 bits, which would lead to data corruption. Fixes: 7431b7835f55 ("dm: add clone target") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-clone-target.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/md/dm-clone-target.c +++ b/drivers/md/dm-clone-target.c @@ -1775,6 +1775,7 @@ error: static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv) { int r; + sector_t nr_regions; struct clone *clone; struct dm_arg_set as; @@ -1816,7 +1817,16 @@ static int clone_ctr(struct dm_target *t goto out_with_source_dev; clone->region_shift = __ffs(clone->region_size); - clone->nr_regions = dm_sector_div_up(ti->len, clone->region_size); + nr_regions = dm_sector_div_up(ti->len, clone->region_size); + + /* Check for overflow */ + if (nr_regions != (unsigned long)nr_regions) { + ti->error = "Too many regions. Consider increasing the region size"; + r = -EOVERFLOW; + goto out_with_source_dev; + } + + clone->nr_regions = nr_regions; r = validate_nr_regions(clone->nr_regions, &ti->error); if (r)