Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3390074pxb; Mon, 17 Jan 2022 19:24:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJwonfJJeQ6D8pgaQTRtsqKrbKYCVQ5A5s7mkacAl7BX9JO04KCZnvyFr71OuFWZ+/zZEZiD X-Received: by 2002:a17:902:8a89:b0:149:a833:af2a with SMTP id p9-20020a1709028a8900b00149a833af2amr26745532plo.153.1642476255744; Mon, 17 Jan 2022 19:24:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642476255; cv=none; d=google.com; s=arc-20160816; b=p2OMCOyBjKOygoX38+V9Znrl+DNc0WjyJDZR6Hbq+LDvbxHb+lT38EwOFtoT0RLL/Q m/cmKRgcQdsTsX3PVrUQNfqznGBg5PtaHwsb/pCsBhWgk4UVmTbYWOkeeRa2R1jN3+6W MEPRCpSsDzH3vYYOuO/giXbqMUVFaR1uTRM55DMUcDbNdb5CR414/A32QxYpkFizXi4K 5jdjzo8SskHZsh6bZY9avsuywNfpmz/L5kZxnNZgGFs2MFD00J/ENhu6gd4GXP21tQnT 8BhPt+8RnzekGWY0pt2cuC+l5H7piUXgO2aivUZr/OlVbBDTxls23o73lEGgUbGzlkPE RUIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=X00qr5AbwGkJ1+I2dJGb3ttkccqawXth1ktxPFpbQU0=; b=x8bC7KZrBX6ZpFbuI8QjOWk2xp80qBF7hQzyCP4AEz4WkS41wI1Y0ZHIz7OKGar0Nj OuiriTtxSacyGKxn57yIJ0Gy4dkUFtNPBpCO41e2muqBU/kbgh1YE1gdELBjfXH3V+K8 MEQfR2yY4OQr0Ry+wrVYdN5/eHi9wesIodbfjq+nllIIgdyKzwBGqtK1pi7CG06ONsOA hM4qleooClLX0igAMcH9UN+SQN97e8zPGmWzK6RQtSm+SrwBd+EsBZ798GdvdgdKhiqY N1MUjKBWoOqG+yvscUXWXeZ7JKCMekh6DdtRkWAOsLabu3ZXZ/j9BqqStDKXxS0hGDpw T9iA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=R9cbS+J2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b21si11186688pfv.107.2022.01.17.19.24.03; Mon, 17 Jan 2022 19:24:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=R9cbS+J2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245049AbiARCfs (ORCPT + 99 others); Mon, 17 Jan 2022 21:35:48 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:47328 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344435AbiARC3y (ORCPT ); Mon, 17 Jan 2022 21:29:54 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6E014610AB; Tue, 18 Jan 2022 02:29:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2D011C36AF3; Tue, 18 Jan 2022 02:29:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642472993; bh=0W+efpgq1FlUhJyr6MfVSm/5wkWq3CVYrdrfGADKS5w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R9cbS+J2ry6d3q1RLeZJRy+dO7ntcyIV2tInEK93OSSzCe9lpSooMKdXzG2pJNXI+ CC4pSH3Ao8SzaA+EWmirN3iLGInYWt1bXvYWvN8kCoOBE5o9d4oBrU9fdQeh+Jezh4 VzFbc6Hm4VB6wWoZHIlZJCy6pKriA6M/EVme60IMGCPqqaDTnxF+4+j3BPUAhwo+To cBfTk4fKbb3P0/N5xLuetmuChisnJ5cWVDgVim393AbWxiFRUUDVHrJ5P4N9QRtYo1 g8CkJsGIgHlZb1ICV1/LIzaFQeyYQIRbtELaTfSN2nwdg7KmtKZv0T6CScmmXogylK ycBOTJi1lIvnQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Joe Thornber , Mike Snitzer , Sasha Levin , agk@redhat.com, dm-devel@redhat.com Subject: [PATCH AUTOSEL 5.16 196/217] dm btree: add a defensive bounds check to insert_at() Date: Mon, 17 Jan 2022 21:19:19 -0500 Message-Id: <20220118021940.1942199-196-sashal@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220118021940.1942199-1-sashal@kernel.org> References: <20220118021940.1942199-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Joe Thornber [ Upstream commit 85bca3c05b6cca31625437eedf2060e846c4bbad ] Corrupt metadata could trigger an out of bounds write. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin --- drivers/md/persistent-data/dm-btree.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c index 0703ca7a7d9a4..5ce64e93aae74 100644 --- a/drivers/md/persistent-data/dm-btree.c +++ b/drivers/md/persistent-data/dm-btree.c @@ -81,14 +81,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n, } static int insert_at(size_t value_size, struct btree_node *node, unsigned index, - uint64_t key, void *value) - __dm_written_to_disk(value) + uint64_t key, void *value) + __dm_written_to_disk(value) { uint32_t nr_entries = le32_to_cpu(node->header.nr_entries); + uint32_t max_entries = le32_to_cpu(node->header.max_entries); __le64 key_le = cpu_to_le64(key); if (index > nr_entries || - index >= le32_to_cpu(node->header.max_entries)) { + index >= max_entries || + nr_entries >= max_entries) { DMERR("too many entries in btree node for insert"); __dm_unbless_for_disk(value); return -ENOMEM; -- 2.34.1