From: Genjian <zhanggenjian@126.com>
To: stable@vger.kernel.org
Cc: axboe@kernel.dk, stable@kernel.org, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, zhanggenjian123@gmail.com,
Siddh Raman Pant <code@siddh.me>,
syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com,
Matthew Wilcox <willy@infradead.org>,
Christoph Hellwig <hch@lst.de>,
Genjian Zhang <zhanggenjian@kylinos.cn>
Subject: [PATCH linux-5.4.y 7/8] loop: Check for overflow while configuring loop
Date: Thu, 7 Mar 2024 12:14:10 +0800 [thread overview]
Message-ID: <20240307041411.3792061-8-zhanggenjian@126.com> (raw)
In-Reply-To: <20240307041411.3792061-1-zhanggenjian@126.com>
From: Siddh Raman Pant <code@siddh.me>
[ Upstream commit c490a0b5a4f36da3918181a8acdc6991d967c5f3 ]
The userspace can configure a loop using an ioctl call, wherein
a configuration of type loop_config is passed (see lo_ioctl()'s
case on line 1550 of drivers/block/loop.c). This proceeds to call
loop_configure() which in turn calls loop_set_status_from_info()
(see line 1050 of loop.c), passing &config->info which is of type
loop_info64*. This function then sets the appropriate values, like
the offset.
loop_device has lo_offset of type loff_t (see line 52 of loop.c),
which is typdef-chained to long long, whereas loop_info64 has
lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h).
The function directly copies offset from info to the device as
follows (See line 980 of loop.c):
lo->lo_offset = info->lo_offset;
This results in an overflow, which triggers a warning in iomap_iter()
due to a call to iomap_iter_done() which has:
WARN_ON_ONCE(iter->iomap.offset > iter->pos);
Thus, check for negative value during loop_set_status_from_info().
Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e
Reported-and-tested-by: syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Siddh Raman Pant <code@siddh.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220823160810.181275-1-code@siddh.me
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
---
drivers/block/loop.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index eadb189be0cc..c999eef4e345 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1298,6 +1298,11 @@ loop_set_status_from_info(struct loop_device *lo,
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
+
+ /* loff_t vars have been assigned __u64 */
+ if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
+ return -EOVERFLOW;
+
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
--
2.25.1
next prev parent reply other threads:[~2024-03-07 4:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 4:14 [PATCH linux-5.4.y 0/8] Fix the UAF issue caused by the loop driver Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 1/8] Revert "loop: Check for overflow while configuring loop" Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 2/8] loop: Call loop_config_discard() only after new config is applied Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 3/8] loop: Remove sector_t truncation checks Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 4/8] loop: Factor out setting loop device size Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 5/8] loop: Refactor loop_set_status() size calculation Genjian
2024-03-07 4:14 ` [PATCH linux-5.4.y 6/8] loop: Factor out configuring loop from status Genjian
2024-03-07 4:14 ` Genjian [this message]
2024-03-07 4:14 ` [PATCH linux-5.4.y 8/8] loop: loop_set_status_from_info() check before assignment Genjian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240307041411.3792061-8-zhanggenjian@126.com \
--to=zhanggenjian@126.com \
--cc=axboe@kernel.dk \
--cc=code@siddh.me \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com \
--cc=willy@infradead.org \
--cc=zhanggenjian123@gmail.com \
--cc=zhanggenjian@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.