diff mbox series

[v2,02/16] device-mapper: Avoid pointer arithmetic overflow

Message ID	20230530203116.2008-3-demi@invisiblethingslab.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour <demi@invisiblethingslab.com> To: Jens Axboe <axboe@kernel.dk>, =?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com>, Alasdair Kergon <agk@redhat.com>, Mike Snitzer <snitzer@kernel.org>, dm-devel@redhat.com Cc: Demi Marie Obenour <demi@invisiblethingslab.com>, =?utf-8?q?Marek_Marczy?= =?utf-8?q?kowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 02/16] device-mapper: Avoid pointer arithmetic overflow Date: Tue, 30 May 2023 16:31:02 -0400 Message-Id: <20230530203116.2008-3-demi@invisiblethingslab.com> In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Diskseq support in loop, device-mapper, and blkback \| [v2,00/16] Diskseq support in loop, device-mapper, and blkback [v2,01/16] device-mapper: Check that target specs are sufficiently aligned [v2,02/16] device-mapper: Avoid pointer arithmetic overflow [v2,03/16] device-mapper: do not allow targets to overlap 'struct dm_ioctl' [v2,04/16] device-mapper: Better error message for too-short target spec [v2,05/16] device-mapper: Target parameters must not overlap next target spec [v2,06/16] device-mapper: Avoid double-fetch of version [v2,07/16] device-mapper: Allow userspace to opt-in to strict parameter checks [v2,08/16] device-mapper: Allow userspace to provide expected diskseq [v2,09/16] device-mapper: Allow userspace to suppress uevent generation [v2,10/16] device-mapper: Refuse to create device named "control" [v2,11/16] device-mapper: "." and ".." are not valid symlink names [v2,12/16] device-mapper: inform caller about already-existing device [v2,13/16] xen-blkback: Implement diskseq checks [v2,14/16] block, loop: Increment diskseq when releasing a loop device [v2,15/16] xen-blkback: Minor cleanups [v2,16/16] xen-blkback: Inform userspace that device has been opened

Commit Message

Demi Marie Obenour May 30, 2023, 8:31 p.m. UTC

  Especially on 32-bit systems, it is possible for the pointer arithmetic
to overflow and cause a userspace pointer to be dereferenced in the
kernel.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
---
 drivers/md/dm-ioctl.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff mbox series

Patch

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 34fa74c6a70db8aa67aaba3f6a2fc4f38ef736bc..64e8f16d344c47057de5e2d29e3d63202197dca0 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1396,6 +1396,25 @@  static int next_target(struct dm_target_spec *last, uint32_t next, void *end,
 {
 	static_assert(_Alignof(struct dm_target_spec) <= 8,
 		      "struct dm_target_spec has excessive alignment requirements");
+	static_assert(offsetof(struct dm_ioctl, data) >= sizeof(struct dm_target_spec),
+		      "struct dm_target_spec too big");
+
+	/*
+	 * Number of bytes remaining, starting with last. This is always
+	 * sizeof(struct dm_target_spec) or more, as otherwise *last was
+	 * out of bounds already.
+	 */
+	size_t remaining = (char *)end - (char *)last;
+
+	/*
+	 * There must be room for both the next target spec and the
+	 * NUL-terminator of the target itself.
+	 */
+	if (remaining - sizeof(struct dm_target_spec) <= next) {
+		DMERR("Target spec extends beyond end of parameters");
+		return -EINVAL;
+	}
+
 	if (next % 8) {
 		DMERR("Next target spec (offset %u) is not 8-byte aligned", next);
 		return -EINVAL;