Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp2894910pxy; Tue, 3 Aug 2021 19:05:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyjqTWlSDkM23vHAujp6T18gbdpcduczE3mwR4/tZBjToPP+TmNe0mlnd/os8tJhbity6Dz X-Received: by 2002:a05:6402:516f:: with SMTP id d15mr30210057ede.210.1628042726650; Tue, 03 Aug 2021 19:05:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628042726; cv=none; d=google.com; s=arc-20160816; b=hEZfVGHU0cQQgHth0KGdbO0yCVxdAwYAw2W6a1p802nINWe+HYkt68xaVrIrXO6mWL slXbAv/Y8KDsMf8UoAkLCCVlgG4MTqfB8OiVpZSpoiSY35S+f4nZ6+4NVemIF6u5nAB1 Fu+wbfgKKmjE8wCP+asqS+QCSXTKAcqtyOztuXKv2tgUaO9f2WBE2zHlBLTX+QQsxXPH l+6HUs4OFXutRvbH87YuxOsI92kwrgQsta3fTaYn1FoKltpzCR4AQQ2reZ6E0OF9Ljf2 V286LWH2FchJo2ZAmY6PdaDH53CMH0/MT6DwtNziipacpgDWVKJLm4K+M6UvX0zBfAH6 uuIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=V/4pWf5MaWYj3bNybSspQQbPXUMZyqImDL8+pKgCaa4=; b=0iFHCjMc8pxA22ta/vejoSVw0JahQNJaJvEPSN6oSGi7aZSSum9x/OYm9gGkgZyNCS UUSvHdUrQC2EcScTm0+jXwQQ4QNgS/NOBfi2Sjv5kKA85tl//gh188rhz+xME1BPTuNc rGBYEt29ts8up3vVC7bJYwdPy/u5ASRoixtNdrnxWrfxsTkei0UKG53IkpkO4sOG09BG ZdxX8X1w9bg99Ja5Vr683+G8N/XKhRdOx6eip1gOvVH3wLA5qdL97NSGcw/cY81vebnN rir6AmUfiEPbu6YWRvgi98IvcprTFj1Kk3UsIM/RLqu64JHQt+6qBtKAjFQQUJKbLEf6 INCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cz3si630985edb.579.2021.08.03.19.05.04; Tue, 03 Aug 2021 19:05:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233841AbhHDCBj (ORCPT + 99 others); Tue, 3 Aug 2021 22:01:39 -0400 Received: from szxga03-in.huawei.com ([45.249.212.189]:13273 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229869AbhHDCBi (ORCPT ); Tue, 3 Aug 2021 22:01:38 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4GfZbk0H72z82X0; Wed, 4 Aug 2021 09:56:34 +0800 (CST) Received: from dggpeml500020.china.huawei.com (7.185.36.88) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 4 Aug 2021 10:01:20 +0800 Received: from huawei.com (10.175.127.227) by dggpeml500020.china.huawei.com (7.185.36.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 4 Aug 2021 10:01:19 +0800 From: Baokun Li To: , , , , CC: , , , "Hulk Robot" Subject: [PATCH -next v3] nbd: add the check to prevent overflow in __nbd_ioctl() Date: Wed, 4 Aug 2021 10:12:12 +0800 Message-ID: <20210804021212.990223-1-libaokun1@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500020.china.huawei.com (7.185.36.88) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If user specify a large enough value of NBD blocks option, it may trigger signed integer overflow which may lead to nbd->config->bytesize becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 signed integer overflow: 1024 * 4611686155866341414 cannot be represented in type 'long long int' [...] Call trace: [...] handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 nbd_size_set drivers/block/nbd.c:325 [inline] __nbd_ioctl drivers/block/nbd.c:1342 [inline] nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 __blkdev_driver_ioctl block/ioctl.c:311 [inline] [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Reported-by: Hulk Robot Signed-off-by: Baokun Li --- V1->V2: Use check_mul_overflow(). V2->V3: The check_mul_overflow function requires the same input parameter type. drivers/block/nbd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index c38317979f74..5a42b838d26c 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1384,6 +1384,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, unsigned int cmd, unsigned long arg) { struct nbd_config *config = nbd->config; + loff_t bytesize; switch (cmd) { case NBD_DISCONNECT: @@ -1398,8 +1399,11 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, case NBD_SET_SIZE: return nbd_set_size(nbd, arg, config->blksize); case NBD_SET_SIZE_BLOCKS: - return nbd_set_size(nbd, arg * config->blksize, - config->blksize); + if (unlikely(check_mul_overflow((loff_t)arg, + config->blksize, + &bytesize))) + return -EINVAL; + return nbd_set_size(nbd, bytesize, config->blksize); case NBD_SET_TIMEOUT: nbd_set_cmd_timeout(nbd, arg); return 0; -- 2.31.1