Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3673f305 authored by NeilBrown's avatar NeilBrown
Browse files

md: avoid array overflow with bad v1.x metadata 



We trust the 'desc_nr' field in v1.x metadata enough to use it
as an index in an array.  This isn't really safe.
So range-check the value first.

Signed-off-by: default avatarNeilBrown <neilb@suse.de>
parent 3a981b03

drivers/md/md.c

+6 −1
Original line number Diff line number Diff line
@@ -1308,6 +1308,11 @@ static int super_1_validate(mddev_t *mddev, mdk_rdev_t *rdev) 
	}

	if (mddev->level != LEVEL_MULTIPATH) {

		int role;

		if (rdev->desc_nr < 0 ||

		    rdev->desc_nr >= le32_to_cpu(sb->max_dev)) {

			role = 0xffff;

			rdev->desc_nr = -1;

		} else

			role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]);

		switch(role) {

		case 0xffff: /* spare */