From: Zhong Jinghua <zhongjinghua@huawei.com>
To: <axboe@kernel.dk>
Cc: <linux-block@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<zhongjinghua@huawei.com>, <yi.zhang@huawei.com>,
<yukuai3@huawei.com>
Subject: [PATCH -next v2] block: Fix the partition start may overflow in add_partition()
Date: Thu, 25 May 2023 15:20:41 +0800 [thread overview]
Message-ID: <20230525072041.3701176-1-zhongjinghua@huawei.com> (raw)
In the blkdev_ioctl, we can pass in the unsigned number 0x8000000000000000
as an input parameter, like below:
blkdev_ioctl
blkpg_ioctl
blkpg_do_ioctl
start = p.start >> SECTOR_SHIFT; // start = 0x8000000000000000 >> 9
bdev_add_partition
add_partition
p->start_sect = start; // start = 0xffc0000000000000
Then, there was an warning when submit bio:
submit_bio_noacct
submit_bio_checks
blk_partition_remap
bio->bi_iter.bi_sector += p->start_sect
// bio->bi_iter.bi_sector = 0xffc0000000000000 + 0xfc00
..
loop_process_work
loop_handle_cmd
do_req_filebacked
pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset
// pos is 0xffc000000000fc00 << 9
lo_rw_aio
call_read_iter
ext4_dio_read_iter
ext4_dio_read_iter
iomap_dio_rw
__iomap_dio_rw
iomap_iter
ext4_iomap_begin
map.m_lblk = offset >> blkbits // (u32) map.m_lblk is 0xfc00
ext4_set_iomap
iomap->offset = (u64) map->m_lblk << blkbits
// iomap->offset = 0xfc00
iomap_iter_done
WARN_ON_ONCE(iter->iomap.offset > iter->pos);
// iomap.offset = 0xfc00 and iter->pos < 0
This is unreasonable for start + length > disk->part0.nr_sects. There is
already a similar check in blk_add_partition().
Fix it by adding a check in blkpg_do_ioctl().
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
---
v2: Modify the io stack in commit message.
block/ioctl.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/ioctl.c b/block/ioctl.c
index 9c5f637ff153..3223ea862523 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -33,9 +33,16 @@ static int blkpg_do_ioctl(struct block_device *bdev,
if (op == BLKPG_DEL_PARTITION)
return bdev_del_partition(disk, p.pno);
+ if (p.start < 0 || p.length <= 0 || p.start + p.length < 0)
+ return -EINVAL;
+
start = p.start >> SECTOR_SHIFT;
length = p.length >> SECTOR_SHIFT;
+ /* length may be equal to 0 after right shift */
+ if (!length || start + length > get_capacity(bdev->bd_disk))
+ return -EINVAL;
+
switch (op) {
case BLKPG_ADD_PARTITION:
/* check if partition is aligned to blocksize */
--
2.31.1
next reply other threads:[~2023-05-25 7:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-25 7:20 Zhong Jinghua [this message]
2023-05-26 5:35 ` [PATCH -next v2] block: Fix the partition start may overflow in add_partition() Eric Biggers
2023-05-30 13:42 ` zhongjinghua
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230525072041.3701176-1-zhongjinghua@huawei.com \
--to=zhongjinghua@huawei.com \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.