Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp346015rwr; Thu, 27 Apr 2023 02:03:05 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Uzi/MWwLh8/7kyIumBU0/886KEgua5fd9PgeH64ibtNh2dxjFjQ/9QDQK7zKslhIraxWz X-Received: by 2002:a05:6a20:72a3:b0:c0:2875:9e8c with SMTP id o35-20020a056a2072a300b000c028759e8cmr1337597pzk.1.1682586184724; Thu, 27 Apr 2023 02:03:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682586184; cv=none; d=google.com; s=arc-20160816; b=qyh5OOkd8OcQJwLSNZ/dQBES/f8eosvopDITlaQLyN8Z64jHKd83F9Sl405tHeYf35 O7wq6UeEp45/7Ubq8yChq2IKEri4hfL49KjrID2XXa9ZfwvZKKknvTUoImdB7QgWEIXY Biy4d8+6ZynhwMWa1aKBNy7Oh9ZCmJocHedBN2uLBDCh3ujzVpUC7lAILphNmP+VkfwU JTu/6MfxKRe2GFh8K5qfUmaGTQgk07+eQHkMgYpZPO833M4V2wnMHzFxNEco5Qa8gelY Mf9oC0FkBkO7xkqzMQrrpeIJ0vtJdYalTd3DzlDgzOybIyvNBUeViaUfzj+8im9JjDEf 6T8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=ot+UPYiBsdEnfyM/KaoJOq4U/OxYbZEJmjdLkSYm2Vs=; b=aDKNN4kFtqD6pnx0E4iV6rcwJALTjfRTCLDxxGlgXqW9upIbgW1cvObAg+Gufh4onP tU7nTb954ru88O17PIgW+SKy89CIe1tH3tjxge1P/vWreM9tqEbTiY7G7Wl6phVR2vtl YTy04S6AMVXR1Fr38MQMaZFk3FLIehQ2tKnQF2rybbwzf9kFZVz6MmGODdR8HQ7Kttll JWJh4rsMnHFUeVaiFWBOnz0kqo7nvt0xbYWi/2vrY9i14L+DyndiFZdLLLZ1Rt9I01mE jIC0qk1Osp85xFh4M+opXymV+XbDV21Ux5eVlE37uX9lV4Ulqxo/HpDE60RVxdpGSrIa vzkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k15-20020aa7998f000000b0063d495bca8dsi18637377pfh.69.2023.04.27.02.02.35; Thu, 27 Apr 2023 02:03:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243157AbjD0I5U (ORCPT + 99 others); Thu, 27 Apr 2023 04:57:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242755AbjD0I5P (ORCPT ); Thu, 27 Apr 2023 04:57:15 -0400 Received: from dggsgout12.his.huawei.com (dggsgout12.his.huawei.com [45.249.212.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64BF3422A; Thu, 27 Apr 2023 01:57:13 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.153]) by dggsgout12.his.huawei.com (SkyGuard) with ESMTP id 4Q6V3m6RGxz4f3kj8; Thu, 27 Apr 2023 16:57:08 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.127.227]) by APP4 (Coremail) with SMTP id gCh0CgBH_rHjOEpkmCsBIQ--.37560S6; Thu, 27 Apr 2023 16:57:10 +0800 (CST) From: linan666@huaweicloud.com To: song@kernel.org, neilb@suse.de, Rob.Becker@riverbed.com Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, linan122@huawei.com, yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com Subject: [PATCH 2/3] md/raid10: fix overflow in safe_delay_store Date: Thu, 27 Apr 2023 16:56:11 +0800 Message-Id: <20230427085612.1346752-3-linan666@huaweicloud.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230427085612.1346752-1-linan666@huaweicloud.com> References: <20230427085612.1346752-1-linan666@huaweicloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: gCh0CgBH_rHjOEpkmCsBIQ--.37560S6 X-Coremail-Antispam: 1UD129KBjvJXoWxCF1UKw43Zr13ZF47Jw4xWFg_yoW5Xry5pa n3J34Yyw4UtryfKF4IvF4DWFW5Was2qrWDt3y2k393JF4DXFs0qw1rXayF9Fy5C3yYvFy3 Jry5JFyUuFyjyaUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUm0b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v2 6rxl6s0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrV ACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWU JVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2 ka0xkIwI1lw4CEc2x0rVAKj4xxMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j 6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7 AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcV C2z280aVAFwI0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVj vjDU0xZFpf9x07jYHqcUUUUU= X-CM-SenderInfo: polqt0awwwqx5xdzvxpfor3voofrz/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Li Nan There is no input check when echo md/safe_mode_delay, and overflow will occur. There is risk of overflow in strict_strtoul_scaled(), too. Fixed it by using kstrtoul instead of parsing word one by one. Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") Signed-off-by: Li Nan --- drivers/md/md.c | 66 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 43 insertions(+), 23 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index 8e344b4b3444..faffbd042925 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -3767,35 +3767,51 @@ static int analyze_sbs(struct mddev *mddev) */ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) { - unsigned long result = 0; - long decimals = -1; - while (isdigit(*cp) || (*cp == '.' && decimals < 0)) { - if (*cp == '.') - decimals = 0; - else if (decimals < scale) { - unsigned int value; - value = *cp - '0'; - result = result * 10 + value; - if (decimals >= 0) - decimals++; - } - cp++; - } - if (*cp == '\n') - cp++; - if (*cp) + unsigned long result = 0, decimals = 0; + char *pos, *str; + int rv; + + str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL); + if (!str) + return -ENOMEM; + pos = strchr(str, '.'); + if (pos) { + int cnt = scale; + + *pos = '\0'; + while (isdigit(*(++pos))) { + if (cnt) { + decimals = decimals * 10 + *pos - '0'; + cnt--; + } + } + if (*pos == '\n') + pos++; + if (*pos) { + kfree(str); + return -EINVAL; + } + decimals *= int_pow(10, cnt); + } + + rv = kstrtoul(str, 10, &result); + kfree(str); + if (rv) + return rv; + + if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale)) return -EINVAL; - if (decimals < 0) - decimals = 0; - *res = result * int_pow(10, scale - decimals); - return 0; + *res = result * int_pow(10, scale) + decimals; + + return rv; } static ssize_t safe_delay_show(struct mddev *mddev, char *page) { - int msec = (mddev->safemode_delay*1000)/HZ; - return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); + unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; + + return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); } static ssize_t safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) @@ -3809,10 +3825,14 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) return -EINVAL; + if (msec > UINT_MAX) + return -EINVAL; + if (msec == 0) mddev->safemode_delay = 0; else { unsigned long old_delay = mddev->safemode_delay; + /* HZ <= 1000, so new_delay < UINT_MAX, too */ unsigned long new_delay = (msec*HZ)/1000; if (new_delay == 0) -- 2.31.1