Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1826480pxv;
        Sat, 26 Jun 2021 01:25:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyVnQyCwGK182atC/qhZ9uqbLZOHv1JhQkybvR13mx9/4/ghGZ7H+UEQIOrqDuXIrys88JF
X-Received: by 2002:a92:a002:: with SMTP id e2mr10203893ili.98.1624695929515;
        Sat, 26 Jun 2021 01:25:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624695929; cv=none;
        d=google.com; s=arc-20160816;
        b=QZf8O8YRBjD1Y+Kuq9ZdgQUlLOCNj35v841JxUB0EOU4/5tgX87OdUQ4hxMu8PmHMe
         +lg1YhhpKnuFxi0nE8bV1crStFiBuvcKsWHq1O6B8EQsiuKUGw8yMC/07UTLeeCFxOL7
         L/klUmR4wxNJuDT68r4aGX9YzznVzWqv62Ho5R6IT7boSns/v7SOs7qyqK8M+05yB+0C
         OpKD/+QYdcGHk3cZ1QU9FxoErqwS0/apf6PHQmcwj6KtA1UbynVYXrhBL/8D+U0mM5gY
         XJA+WIwKUEULTbzAlxt0rx9chU+z8imYMn5YihJIE1GHxZ7pD/0sxqtKaVrYwQUJ2jlD
         T00w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=ocF7LIpSwj3vsZpHqVHvaq9IL3YwB/xApDMByqK67ds=;
        b=DjHQk2eTLNM00lMeym7nuxWR8v6AqngzrhA7cVEw97Xj17sAMTi/8vuJBOQ5kjTvU0
         iGvxXzjnxVvlYs+LxjC2CTE4/MP4jCXi0Nu7Z185f6RbWODp+FYs3zSrxGtFKg8qURel
         yPeHLxnmbwvAgGA/ZsCszfpOO0z8VIfqjrpXyPw5I660g9xUE2qvzNXZq8SN4sIDTBO7
         3QBlVjqC4uUes9O3qyDPO5O9xINmon2fM1KrWUvMAe/QgK6Put/wIIuxpDcX6GUVrBI/
         YemxQXBsMKj1x6ZsFGveN2rT/KjxQlUqDbiDlvZYJYoRThi731q8P++iIRsXmNOZieJS
         2qbA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ok6ehZ3y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i19si10339925jav.94.2021.06.26.01.25.16;
        Sat, 26 Jun 2021 01:25:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ok6ehZ3y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229712AbhFZI0g (ORCPT <rfc822;magnuspubb@gmail.com> + 99 others);
        Sat, 26 Jun 2021 04:26:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39196 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229518AbhFZI0g (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 26 Jun 2021 04:26:36 -0400
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1390BC061574;
        Sat, 26 Jun 2021 01:24:14 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id g6-20020a17090adac6b029015d1a9a6f1aso8416096pjx.1;
        Sat, 26 Jun 2021 01:24:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=ocF7LIpSwj3vsZpHqVHvaq9IL3YwB/xApDMByqK67ds=;
        b=Ok6ehZ3ywSEcP84JHiXhZnSr6kLHfiTzdhMbOwlbhFnO9JmqUDic3JM4CSYCs5yx3l
         3UVfAKtH25NmZ48EcJgC5jMTnn0f/oKkD2rbRwzUz3OfbhLPPQeBT3Cnh7Lakx0AdL2h
         CjHM6qYnHGKNYS3uZMGroZC+7ezaXW3DbDXETdNqR3vZUhiIN9NKqkOyR3mcVdF9JKlA
         xC0nUeLcDrGklkcGMEFqvVAFC0YOvZ12bTYwoIDObSK4zxYJOtShYfVRn8WI3OmV7cQq
         WhoynDe40Nwyrtww/YWL5JfBfrDhE9TzlKu3NvGs1nd3v/45PAxWZQ8VU/sb9MyWNvOt
         wo0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ocF7LIpSwj3vsZpHqVHvaq9IL3YwB/xApDMByqK67ds=;
        b=C/xjNCSkLyAF3Rdoa7GX3m9bNWaVZ/zm7nLL+Vk+Pw0R/8RwWHukdYuOIayMvfNlTf
         8E4GWZd8NyAhXHHe/RNyMujpo/axXFKdlAbxInqj7bQ6vL/+6FWl3kqXRSIR522DKIkF
         ZOM4//lo7+uf6ABrcs4sYodkdk5MguCRrOcdOC/8s9XXdHUVEM2zU8LTlNEBYLMlZiDz
         ANzVYXJUIbT3L/yADx8ISP/gISJHKPS+aseVyGyJ3Efvru7o7XMrHhYpuPEBKXrS4jq3
         7sQ6qNW3VoCZHOVIl7cZMbSdicE5DgaRAheXxx4yzfG+en8Y4XvQEBTf9fBObxxjwbSp
         AFMg==
X-Gm-Message-State: AOAM5311uQOXT5bK+eNmbGx9pRIGNIaEjxVZdC08uHvRmo4U39Z2AePd
        DZfhZ6zuX2bBKhDcMsVhEBQ=
X-Received: by 2002:a17:90b:3449:: with SMTP id lj9mr26237121pjb.123.1624695853420;
        Sat, 26 Jun 2021 01:24:13 -0700 (PDT)
Received: from fedora.. ([2405:201:6008:6d7c:6bfd:dac8:eafe:7bde])
        by smtp.googlemail.com with ESMTPSA id h8sm8064995pfn.0.2021.06.26.01.24.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 26 Jun 2021 01:24:12 -0700 (PDT)
From:   Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
To:     axboe@kernel.dk, hch@infradead.org
Cc:     Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>,
        linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzbot+cf89d662483d6a1a0790@syzkaller.appspotmail.com
Subject: [PATCH v2] loop: fix setting arbitrarily large block size
Date:   Sat, 26 Jun 2021 13:54:06 +0530
Message-Id: <20210626082406.348821-1-chouhan.shreyansh630@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210623050933.140572-1-chouhan.shreyansh630@gmail.com>
References: <20210623050933.140572-1-chouhan.shreyansh630@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

loop_validate_block_size took an unsigned short argument. Passing an
argument with size greater than the size of unsigned short would cause
an overflow and could potentially render the upper bound check on the
block size useless, allowing to set an arbitrarily large block size.

Reported-by: syzbot+cf89d662483d6a1a0790@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
---

Changes from v1: Fixed the spelling of reported-by tag. Fixed the
commit message.

 drivers/block/loop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 9a758cf66507..635baff0dd66 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -236,7 +236,7 @@ static void __loop_update_dio(struct loop_device *lo, bool dio)
  * @bsize: size to validate
  */
 static int
-loop_validate_block_size(unsigned short bsize)
+loop_validate_block_size(unsigned long bsize)
 {
 	if (bsize < 512 || bsize > PAGE_SIZE || !is_power_of_2(bsize))
 		return -EINVAL;
-- 
2.31.1