Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp221247pxt; Wed, 11 Aug 2021 19:15:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDig6mOtLpxqR0Fwx2EiWPLnagxfRnslqmbqVWvlk/tDC7ihg/UqjrnqeexOTvkEptTVA5 X-Received: by 2002:a05:6638:618:: with SMTP id g24mr1648622jar.94.1628734518408; Wed, 11 Aug 2021 19:15:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628734518; cv=none; d=google.com; s=arc-20160816; b=HDHDCcMAJU+GeQ7KinUKRHqeSqhb3q9Te3/5iqLdyWkfSEFR8Qq1TOTIVrzgxYa/9W J14dOU+hF+X9ypSseIhxqiLkujMGllBp4IDiLcyl+3TuaTIGyY53yM7lFtScJExB2HWp uO7OM8ofZGYmWRIomfi6lc/kGhMqYYW4tDA17YZbwq6SCQqsHsg91/5XmUibMporE41t 35S201x1flIxfmUiyEinurd3rDvEn2UycpKgRgkejIV6wb6eM/aLT+4BQy52ZOMW7ulF s+R76yDtzmMbfSqn/0K29+SCmuvEaADts0RSdRQkDO3HkLUvWU2FJQF9tMpAZbHjliag z9sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=Wj7cTasRs/LFrqD5B3FvW6ajeNSiNgJYeup3Zvy1Mj0=; b=FwzJmfEVROrlGgrpuDtdQaySsfobPesVHk0iXZ9cPKFvfokadOZ0ekn1mmmsllj/Im prAR1UJKwizC9+g6Z4tkYqPLcWw0dPsIIH0iF4hSHqrjBVTwnTjEI+fmxDScIl21CViu 69JDYpyLL0x4mUAwWEg4BM1/Gkp9lv99gxrcENl3FU7X8E4MsApEf1WZQkbjcKFhYyoc yc0Ku13UepZSNw636zI5OS5ajlVpSICX6QRmh1y7CTsN/yd3BGLlmWhNPRHPghsej7Z2 PwXOmf4tpQ0dtXecpPyrqBuzood/LDASDuc6BDHxe40yhmi+hdZBzhrSLarZ1woKiBgG P80g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a12si1257922jac.69.2021.08.11.19.15.06; Wed, 11 Aug 2021 19:15:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233390AbhHLB4H (ORCPT + 99 others); Wed, 11 Aug 2021 21:56:07 -0400 Received: from szxga02-in.huawei.com ([45.249.212.188]:13415 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233237AbhHLB4G (ORCPT ); Wed, 11 Aug 2021 21:56:06 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4GlV6m3sPQzdZWr; Thu, 12 Aug 2021 09:52:00 +0800 (CST) Received: from dggpeml500020.china.huawei.com (7.185.36.88) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Thu, 12 Aug 2021 09:55:34 +0800 Received: from [10.174.177.174] (10.174.177.174) by dggpeml500020.china.huawei.com (7.185.36.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Thu, 12 Aug 2021 09:55:33 +0800 Subject: Re: [PATCH -next v3] nbd: add the check to prevent overflow in __nbd_ioctl() To: , , , , CC: , , Hulk Robot References: <20210804021212.990223-1-libaokun1@huawei.com> From: "libaokun (A)" Message-ID: <572832a1-818e-1309-08f5-4a3dc2b03999@huawei.com> Date: Thu, 12 Aug 2021 09:55:33 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <20210804021212.990223-1-libaokun1@huawei.com> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.177.174] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500020.china.huawei.com (7.185.36.88) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2021/8/4 10:12, Baokun Li ะด??: > If user specify a large enough value of NBD blocks option, it may trigger > signed integer overflow which may lead to nbd->config->bytesize becomes a > large or small value, zero in particular. > > UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 > signed integer overflow: > 1024 * 4611686155866341414 cannot be represented in type 'long long int' > [...] > Call trace: > [...] > handle_overflow+0x188/0x1dc lib/ubsan.c:192 > __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 > nbd_size_set drivers/block/nbd.c:325 [inline] > __nbd_ioctl drivers/block/nbd.c:1342 [inline] > nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 > __blkdev_driver_ioctl block/ioctl.c:311 [inline] > [...] > > Although it is not a big deal, still silence the UBSAN by limit > the input value. > > Reported-by: Hulk Robot > Signed-off-by: Baokun Li > --- > V1->V2: > Use check_mul_overflow(). > V2->V3: > The check_mul_overflow function requires the same input parameter type. > > drivers/block/nbd.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c > index c38317979f74..5a42b838d26c 100644 > --- a/drivers/block/nbd.c > +++ b/drivers/block/nbd.c > @@ -1384,6 +1384,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, > unsigned int cmd, unsigned long arg) > { > struct nbd_config *config = nbd->config; > + loff_t bytesize; > > switch (cmd) { > case NBD_DISCONNECT: > @@ -1398,8 +1399,11 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, > case NBD_SET_SIZE: > return nbd_set_size(nbd, arg, config->blksize); > case NBD_SET_SIZE_BLOCKS: > - return nbd_set_size(nbd, arg * config->blksize, > - config->blksize); > + if (unlikely(check_mul_overflow((loff_t)arg, > + config->blksize, > + &bytesize))) > + return -EINVAL; > + return nbd_set_size(nbd, bytesize, config->blksize); > case NBD_SET_TIMEOUT: > nbd_set_cmd_timeout(nbd, arg); > return 0; ping