Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fabcb4c authored by Jens Axboe's avatar Jens Axboe
Browse files

genhd: check for int overflow in disk_expand_part_tbl() 



We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition()
with a user passed in partno value. If we pass in 0x7fffffff, the
new target in disk_expand_part_tbl() overflows the 'int' and we
access beyond the end of ptbl->part[] and even write to it when we
do the rcu_assign_pointer() to assign the new partition.

Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
Cc: stable@kernel.org
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent 7c7f2f2b

block/genhd.c

+9 −2
Original line number Diff line number Diff line
@@ -1070,9 +1070,16 @@ int disk_expand_part_tbl(struct gendisk *disk, int partno) 
	struct disk_part_tbl *old_ptbl = disk->part_tbl;

	struct disk_part_tbl *new_ptbl;

	int len = old_ptbl ? old_ptbl->len : 0;

	int target = partno + 1;

	int i, target;

	size_t size;

	int i;



	/*

	 * check for int overflow, since we can get here from blkpg_ioctl()

	 * with a user passed 'partno'.

	 */

	target = partno + 1;

	if (target < 0)

		return -EINVAL;



	/* disk_max_parts() is zero during initialization, ignore if so */

	if (disk_max_parts(disk) && target > disk_max_parts(disk))