Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1876711pxb; Mon, 13 Sep 2021 07:22:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzNKFA9/BeVxP22kahs4qcrYch6OqjdK6q4OTIxrt4kLpQrzDuLTAy/KZHSkwEnEDtRz0Gi X-Received: by 2002:a05:6e02:d02:: with SMTP id g2mr4500251ilj.69.1631542968762; Mon, 13 Sep 2021 07:22:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631542968; cv=none; d=google.com; s=arc-20160816; b=DLYTmppJjR9VdW6xI8XxhhHQuhxjRyeLLqnfF7gUDydSdgLgzVgB0i4xjsXwU+hlQW pVRX+dAlFcTvukYR6J+EgscGU6w0+vZNXsUyx+nGhRx3NUy8reedkPCfyBpkueXfaKEw 5ui7TCAG4f4mXvXHtUeHi/qAYutE4psc/KN9xRforuVzk5TpZXT5+Fj6cBkb9x6Esy70 YTdWXbdUOwd/RAFaxNVxFWgDv6o63iRdCf/wSaBZacgMyCmKdYTynkIMWpVIIXh2/ApN 4aPX7RoPSEmo8CGrVNhHgvDSmqGPX4IKgAoipU+cqLefVh5Qo1mypCN+777rfzYcwrgA PnVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9shqCXCDHqchfDi70c0G4QE2hv7yRw76R6mkAgS9KuA=; b=vRx1Q/3GkKk7mY1ClAygMpXr4hEG0Wr8fpyPKi5Z9DrBRmZ017fFfUKqr76hzBtUCP bwiu1U/q0fLdmMZytAz2jYqJkts582W9b6WTeh5twYUXG5mMCzifrb6MdriI1CqhQeKZ F31U02m9jWUf9druRzBvVW5RSN8eKh3bqT4K6F/P22/10wFJhTz+PDbRSow6cV00JD3a rs9ZoNC9+0ngY7oGhenzxXhf86jHaENqXF/dsZjDbvFqesSGktEpNtSy4dg9jx9zr2Lg GKRhgUHMAtb4hgUQzNBjzvGGfWXqJ80xatFyXRQ94OPJT9GmK+LNcB9lzGPn0EybLYHp CITw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="RwI8HnK/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s9si3814889jat.70.2021.09.13.07.22.35; Mon, 13 Sep 2021 07:22:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="RwI8HnK/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344720AbhIMOWt (ORCPT + 99 others); Mon, 13 Sep 2021 10:22:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:41880 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344454AbhIMOTN (ORCPT ); Mon, 13 Sep 2021 10:19:13 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 67EFD61440; Mon, 13 Sep 2021 13:45:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540745; bh=mABDKOQrNOYmohIEZGbu+NdedYH3RHu/VM8TY9sq2bI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RwI8HnK/7wI85XXysDWV5+EmlqXEV8I7jicV4IT/nS+2aEc+0sJ1qDgV3ucDFR+eI SuVhiUCx6EDK1Fys3/RAoLD0NSGItewqCVKH1jiMGYQP6cG5KNYVuFzwlbsksZ3RAu RSdh92nx9zFfLRbceswd6shPRG/mMYEYJbfSaMhU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Baokun Li , Josef Bacik , Jens Axboe , Sasha Levin Subject: [PATCH 5.14 018/334] nbd: add the check to prevent overflow in __nbd_ioctl() Date: Mon, 13 Sep 2021 15:11:12 +0200 Message-Id: <20210913131114.028340332@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131113.390368911@linuxfoundation.org> References: <20210913131113.390368911@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Baokun Li [ Upstream commit fad7cd3310db3099f95dd34312c77740fbc455e5 ] If user specify a large enough value of NBD blocks option, it may trigger signed integer overflow which may lead to nbd->config->bytesize becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 signed integer overflow: 1024 * 4611686155866341414 cannot be represented in type 'long long int' [...] Call trace: [...] handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 nbd_size_set drivers/block/nbd.c:325 [inline] __nbd_ioctl drivers/block/nbd.c:1342 [inline] nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 __blkdev_driver_ioctl block/ioctl.c:311 [inline] [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Reported-by: Hulk Robot Signed-off-by: Baokun Li Reviewed-by: Josef Bacik Link: https://lore.kernel.org/r/20210804021212.990223-1-libaokun1@huawei.com [axboe: dropped unlikely()] Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/block/nbd.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 19f5d5a8b16a..acf3f85bf3c7 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1388,6 +1388,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, unsigned int cmd, unsigned long arg) { struct nbd_config *config = nbd->config; + loff_t bytesize; switch (cmd) { case NBD_DISCONNECT: @@ -1402,8 +1403,9 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, case NBD_SET_SIZE: return nbd_set_size(nbd, arg, config->blksize); case NBD_SET_SIZE_BLOCKS: - return nbd_set_size(nbd, arg * config->blksize, - config->blksize); + if (check_mul_overflow((loff_t)arg, config->blksize, &bytesize)) + return -EINVAL; + return nbd_set_size(nbd, bytesize, config->blksize); case NBD_SET_TIMEOUT: nbd_set_cmd_timeout(nbd, arg); return 0; -- 2.30.2