Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1421643pxy; Mon, 2 Aug 2021 00:47:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAJdZtQV9okvsKsXkg5AjwHc5c4UCFb8r+fZ3fk0Hn5l95WkCUJk5UYmIbxsp+G0D4wOm7 X-Received: by 2002:a05:6402:230d:: with SMTP id l13mr18141437eda.10.1627890450449; Mon, 02 Aug 2021 00:47:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627890450; cv=none; d=google.com; s=arc-20160816; b=iGd/G8LpPWdrwz83gnLjx7aVBRm4QiIH4SQn0jjRUcqXYkqxz5M/oAoHvs1YkADCHt tKpIw0VrCv4JNyFBn1txN3pRQfIzbOa9M08ZPMLHPunuWZaG9oVnpV8Gey/atDE1l99Y Z+QFNRQVP+PG7sC1MJFk5CHcqt3CG4jQPDldXboGwp+2oFLLDCuL702WiBAKheUbPrPN y0fXxVLg8GCirK4//OM3xNfNkodc3CEDXAx16SHfX+jec/U5KkINAKBeKVRqUY/77mbK g09NURsWeHV0UAXGVY14a5/5pWxotaoLSfyqaZZ6/wffNflTUMwg8Q8Fc2Qhluwb4Yuy 5POw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=GiNRYuexfToqZGmyl9DF0XV2aC17zdSeHuzPNgEpRY0=; b=y149KAK8aZdpAYPeBHOaA4YnbZHm19PFOOfGpNCDvc0KmzDFHlOMPKMHXmeJoIUnGE xwm+YALmbP0sS22JUke/lgxO96zgcXWEnrGA5tKwLNh7e7BBOjqkRsny4tcHpwVCkWLO EZjXjIhljK9JD/sZ7qe9UFNzIwi4CQwER1hVeW8qgrCUBEVvAFQ2GWPNT0Z5VL90St95 Z1xyWyGUtV9RHJ0R/J80WoQKUNUK5WETPqc4/YTMTZzMAYKmdsj1g90bZOYaXgRrrYWY pNbi1zKoCImooJ5JwkpQQIM2Oj35ecAi7Qldf/ipcexj6ZTVuGv93tS1dk7BBXx2wKo/ 01Fg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si8806470edv.449.2021.08.02.00.47.07; Mon, 02 Aug 2021 00:47:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232561AbhHBHpo (ORCPT + 99 others); Mon, 2 Aug 2021 03:45:44 -0400 Received: from szxga08-in.huawei.com ([45.249.212.255]:13222 "EHLO szxga08-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232482AbhHBHpn (ORCPT ); Mon, 2 Aug 2021 03:45:43 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4GdVRF2dBhz1CRWS; Mon, 2 Aug 2021 15:45:29 +0800 (CST) Received: from dggpeml500020.china.huawei.com (7.185.36.88) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Mon, 2 Aug 2021 15:45:21 +0800 Received: from huawei.com (10.175.127.227) by dggpeml500020.china.huawei.com (7.185.36.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Mon, 2 Aug 2021 15:45:21 +0800 From: Baokun Li To: , , , , CC: , , Hulk Robot Subject: [PATCH -next v2] nbd: add the check to prevent overflow in __nbd_ioctl() Date: Mon, 2 Aug 2021 15:56:15 +0800 Message-ID: <20210802075615.4037698-1-libaokun1@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpeml500020.china.huawei.com (7.185.36.88) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If user specify a large enough value of NBD blocks option, it may trigger signed integer overflow which may lead to nbd->config->bytesize becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 signed integer overflow: 1024 * 4611686155866341414 cannot be represented in type 'long long int' [...] Call trace: [...] handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 nbd_size_set drivers/block/nbd.c:325 [inline] __nbd_ioctl drivers/block/nbd.c:1342 [inline] nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 __blkdev_driver_ioctl block/ioctl.c:311 [inline] [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Reported-by: Hulk Robot Signed-off-by: Baokun Li --- V1->V2: Use check_mul_overflow(). drivers/block/nbd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index c38317979f74..9f3e25f74e9b 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1384,6 +1384,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, unsigned int cmd, unsigned long arg) { struct nbd_config *config = nbd->config; + loff_t bytesize; switch (cmd) { case NBD_DISCONNECT: @@ -1398,8 +1399,10 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, case NBD_SET_SIZE: return nbd_set_size(nbd, arg, config->blksize); case NBD_SET_SIZE_BLOCKS: - return nbd_set_size(nbd, arg * config->blksize, - config->blksize); + if (unlikely(check_mul_overflow(arg, config->blksize, + &bytesize))) + return -EINVAL; + return nbd_set_size(nbd, bytesize, config->blksize); case NBD_SET_TIMEOUT: nbd_set_cmd_timeout(nbd, arg); return 0; -- 2.31.1