Commit 16975f04 authored Feb 09, 2019 by Coly Li Committed by Greg Kroah-Hartman Apr 05, 2019

bcache: fix input overflow to cache set sysfs file io_error_halflife



[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ]

Cache set sysfs entry io_error_halflife is used to set c->error_decay.
c->error_decay is in type unsigned int, and it is converted by
strtoul_or_return(), therefore overflow to c->error_decay is possible
for a large input value.

This patch fixes the overflow by using strtoul_safe_clamp() to convert
input string to an unsigned long value in range [0, UINT_MAX], then
divides by 88 and set it to c->error_decay.

Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 845d4849

drivers/md/bcache/sysfs.c

+11 −2

Original line number	Original line	Diff line number	Diff line
	@@ -766,8 +766,17 @@ STORE(__bch_cache_set)
	c->error_limit = strtoul_or_return(buf);		c->error_limit = strtoul_or_return(buf);

	/* See count_io_errors() for why 88 */		/* See count_io_errors() for why 88 */
	if (attr == &sysfs_io_error_halflife)		if (attr == &sysfs_io_error_halflife) {
	c->error_decay = strtoul_or_return(buf) / 88;		unsigned long v = 0;
			ssize_t ret;

			ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
			if (!ret) {
			c->error_decay = v / 88;
			return size;
			}
			return ret;
			}

	if (attr == &sysfs_io_disable) {		if (attr == &sysfs_io_disable) {
	v = strtoul_or_return(buf);		v = strtoul_or_return(buf);