| Message ID | 20240222215905.83786-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-23851 | expand |
On 2/22/24 2:59 PM, Yuxuan Luo wrote: > [Impact] > copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can > attempt to allocate more than INT_MAX bytes, and crash, because of a > missing param_kernel->data_size check. This is related to ctl_ioctl. > > [Backport] > For Mantic it is a single clean cherry pick. > > For Focal and Jammy, the fix commit cannot be clean cherry picked > because of the conflict around the DMERR() lines; cherry pick > dbdcc906d978 (“dm ioctl: log an error if the ioctl structure is > corrupted”) to solve the conflict. > > [Test] > Compile and boot tested. > > [Potential Regression] > A very low regression potential exists when executing copy_params() for > devices. > > > Mikulas Patocka (1): > dm: limit the number of targets and parameter size area > > drivers/md/dm-core.h | 2 ++ > drivers/md/dm-ioctl.c | 3 ++- > drivers/md/dm-table.c | 9 +++++++-- > 3 files changed, 11 insertions(+), 3 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 22.02.24 22:59, Yuxuan Luo wrote: > [Impact] > copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can > attempt to allocate more than INT_MAX bytes, and crash, because of a > missing param_kernel->data_size check. This is related to ctl_ioctl. > > [Backport] > For Mantic it is a single clean cherry pick. > > For Focal and Jammy, the fix commit cannot be clean cherry picked > because of the conflict around the DMERR() lines; cherry pick > dbdcc906d978 (“dm ioctl: log an error if the ioctl structure is > corrupted”) to solve the conflict. > > [Test] > Compile and boot tested. > > [Potential Regression] > A very low regression potential exists when executing copy_params() for > devices. > > > Mikulas Patocka (1): > dm: limit the number of targets and parameter size area > > drivers/md/dm-core.h | 2 ++ > drivers/md/dm-ioctl.c | 3 ++- > drivers/md/dm-table.c | 9 +++++++-- > 3 files changed, 11 insertions(+), 3 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 22.02.24 22:59, Yuxuan Luo wrote: > [Impact] > copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can > attempt to allocate more than INT_MAX bytes, and crash, because of a > missing param_kernel->data_size check. This is related to ctl_ioctl. > > [Backport] > For Mantic it is a single clean cherry pick. > > For Focal and Jammy, the fix commit cannot be clean cherry picked > because of the conflict around the DMERR() lines; cherry pick > dbdcc906d978 (“dm ioctl: log an error if the ioctl structure is > corrupted”) to solve the conflict. > > [Test] > Compile and boot tested. > > [Potential Regression] > A very low regression potential exists when executing copy_params() for > devices. > > > Mikulas Patocka (1): > dm: limit the number of targets and parameter size area > > drivers/md/dm-core.h | 2 ++ > drivers/md/dm-ioctl.c | 3 ++- > drivers/md/dm-table.c | 9 +++++++-- > 3 files changed, 11 insertions(+), 3 deletions(-) > Applied to mantic,jammy,focal:linux/master-next. Thanks. -Stefan