Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp869484rwo; Sat, 22 Jul 2023 01:39:54 -0700 (PDT) X-Google-Smtp-Source: APBJJlFduv3SqOZTpDNWNMVHtrbCDJuzqp8KN31sO/8umICfgygHLtQdXTtOiDTSpLtAqVQX9DQa X-Received: by 2002:a05:6a00:281e:b0:668:8ad5:778f with SMTP id bl30-20020a056a00281e00b006688ad5778fmr2244761pfb.17.1690015194699; Sat, 22 Jul 2023 01:39:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690015194; cv=none; d=google.com; s=arc-20160816; b=cxuqi5MSKo7KInnMgEF/IcrNH/2K8D7tzxkDEFId/cWh/u/uO7q3jDLY1qddohVaFR MIK0X5odRO83igEyKnYvR5lc86uoD9TptHETNrqXJpPU96/bznPHOzxJ9NSsZv7sSFnc 2kEytT0Na5SnmWMoXb6K7LL9DPhQAbEFNnozsbQXkS4ZOeBn2NDJVVLOIey3jvDIn520 mk+Z/t4qFiie59lkEenSaXqCUv6mftpHngnrfchFKx6RY8iNKhBcRoADTcAcn77x/TVK oK2Q8sjIoQiHFcsz1uqIjGAIOrF3pbd8JK3su7ZfQMRXdGXrg045UMcRJAxP4H24Wgic 1jSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :subject:cc:to:from:message-id:dkim-signature; bh=WudfsQrb7fYoExuk3p2L4EzuP2QiuNE7sYpPMjsBwbg=; fh=Iawa26b1W8awmqBpEnse/hGaRIFaTA9CTmzb3fFL8Z0=; b=gp22aFRHLOKpOmxBcRj2xM9l+3bjHZdkgiq68izBN7LRI61gCh+G3mMxhZTosIY+o1 jG2lARwOUrDJ0A/4fRgRRclaD3Pfb7hmv6oKDPtEw4MO1V1VmWJnP11DedjTiuC1cuBn ChJP9wPAM95cewCHL3aTeySmxESEHsBJM4UrknKC6sP3MwWipx9ddBU3rH7t+tt3ZEjr iJP8s3GS4WgtJTr59w9hnP/Caw/7q0WTCIWURGDxYDy2w5gXD3weN7tn+hGe2ywCntwH q7Eo5+nhhlcc6dqUd9fQNlvmVZ04VzS7UN4HmvQaJo4GMl4QPLGFIUqfloYof4LM8ugQ /v/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=JKTJ51N8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y1-20020a634b01000000b0055392732f64si4873127pga.498.2023.07.22.01.39.30; Sat, 22 Jul 2023 01:39:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=JKTJ51N8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231389AbjGVHyN (ORCPT + 99 others); Sat, 22 Jul 2023 03:54:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbjGVHyM (ORCPT ); Sat, 22 Jul 2023 03:54:12 -0400 Received: from out203-205-221-210.mail.qq.com (out203-205-221-210.mail.qq.com [203.205.221.210]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34E142715; Sat, 22 Jul 2023 00:54:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1690012449; bh=WudfsQrb7fYoExuk3p2L4EzuP2QiuNE7sYpPMjsBwbg=; h=From:To:Cc:Subject:Date; b=JKTJ51N8XQTfH4R+TQ4W7bL+9wGiQcCRfBjNYatBswziAQ824x7ab6KecETdRtt9/ hSZfJvmzArmPL59S2sM5CQfS66GuI6vTQqA3SoQufTAujff363UOScs/kzI3ki31q/ fUlaLTX4ZkXZxXvmokurSqG6R1fD40Exs5kKDSPc= Received: from localhost.localdomain ([220.243.131.5]) by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP id D81AF2DC; Sat, 22 Jul 2023 15:54:01 +0800 X-QQ-mid: xmsmtpt1690012441tzvuelqpp Message-ID: X-QQ-XMAILINFO: NkaTxwcgdNx6R4hM3qsGEhwYqZX72z8eb2D4dF/ixdZi527l2a9F/fwgvvFPw3 zgyWQM9/ghVRfeq+EZHGdUJOGXAdlf5jB5mUiHdFOkZiUN0H5BABF0yvaT681kiJ6FECB2HmNEqt rO2m0bnXNWxsSmLPr3pGDx8Xm9WZvW7WrLhdnBgKiLPWhIb8p3+ummNc/T8A+x2TOumc8HVpXwrV fWzIFZ/qFQknz0WG/IMYoWf/N44VuAriIq9f3Z7C759/DP+aFEHQPeteFVEmG5cDCX60bzwA1v2v uJnzqbWgfmCP9JrpyJsXFt1SyRpivISUq0gwOv13J1q4drV6NFLljNrtHdyzHJYsOU2bPedcL/LG JYGKTiNHOxVDkeg/aC4MYq8vz3dLweYbPRZm+NQ3onT24CP22UgqTYxvg2UsAkvyo0KqZD85ySXR CSaIu/EoLD44+Zi/xcGtLAVPfzSsIBdbDmKmmcADH8Zx18GtU8X5SQROQR50NWkii7u7y56QQIuF QqVQTZfOfXihxpkOm40RKTh9t4lF2dw2i6BUbf60ppSSzkj5W3jR/+PvJW0fYKLmyi0z6FekTSXX jMrrd96xaoK18qy/iAyz9sZJYTjvU1K+lbLqhjcfMsWyCscNLD4OHV0knIWvFdXibM68Bj3/HVWt +5+MMN2t3velWD4SXhft079+1Z+KcEFgOdGXFX6S7yr/ZTlY5w+omIn0Wc0bJ/x+bRcudCZSrtTx Vo99pgxOEvP8yQelHea5B8umf9Kmz+jAKE+ekITchAl57yyYrbYfJ35CaEPJVWW+4VOsvFdJouBU avAHyE6nkz3bugPGCOsJnuxzNVLIiiBr+RnxLl1Iq7B+tiJy0xsTii4Vf4h29JZee5ra4nQbkF1n MufVOMGthWzioKv3NMz4anAHUgVlWqC4JzbapoeMT4SGfLJB9n9VkBxCBVWb+TFpC9uwpQV/g+tg mASw7rCLqojIQGdg+Ah1qKb4t9Pje3jTUdqXULg4MxddUrExexdgs60NmbDySc6yE+VBwnuJQ= X-QQ-XMRINFO: NyFYKkN4Ny6FSmKK/uo/jdU= From: Zhang Shurong To: song@kernel.org, yukuai1@huaweicloud.com Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, yukuai3@huawei.com, Zhang Shurong Subject: [PATCH v2] md: raid1: fix potential OOB in raid1_remove_disk() Date: Sat, 22 Jul 2023 15:53:53 +0800 X-OQ-MSGID: <20230722075353.7159-1-zhang_shurong@foxmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, HELO_DYNAMIC_IPADDR,RCVD_IN_DNSWL_BLOCKED,RDNS_DYNAMIC,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If rddev->raid_disk is greater than mddev->raid_disks, there will be an out-of-bounds in raid1_remove_disk(). We have already found similar reports as follows: 1) commit d17f744e883b ("md-raid10: fix KASAN warning") 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk") Fix this bug by checking whether the "number" variable is valid. Signed-off-by: Zhang Shurong --- Changes in v2: - Using conf->raid_disks instead of mddev->raid_disks. drivers/md/raid1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c index dd25832eb045..80aeee63dfb7 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -1829,6 +1829,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) struct r1conf *conf = mddev->private; int err = 0; int number = rdev->raid_disk; + + if (unlikely(number >= conf->raid_disks)) + goto abort; + struct raid1_info *p = conf->mirrors + number; if (rdev != p->rdev) -- 2.41.0