From patchwork Thu Feb 22 21:59:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1903003 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tgn9g1tWlz23l1 for ; Fri, 23 Feb 2024 08:59:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rdH69-0007Sn-2U; Thu, 22 Feb 2024 21:59:21 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rdH62-0007Ra-6l for kernel-team@lists.ubuntu.com; Thu, 22 Feb 2024 21:59:14 +0000 Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B771C40826 for ; Thu, 22 Feb 2024 21:59:13 +0000 (UTC) Received: by mail-qt1-f199.google.com with SMTP id d75a77b69052e-42c709698f8so24146201cf.1 for ; Thu, 22 Feb 2024 13:59:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708639150; x=1709243950; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sl5HGfe/+dAdhR11Hia9ZxRzrLlVhaGylp5LE0FLmKI=; b=QZx4sKkhOn58FuB3U4S+VXqA/GNJOiZChuPlNQKcDrGobsjssAnCeoZ98JttMqLKjH 6YzWpRzAnceacoSoB9U/03xPDQOKjSPegPuRJbyi9JVzc36dUAddKMmy6ZSb7y3sedfJ niiuJKlpngs0pp49YPs9SG5VRuuvgU9t90RMmK+aeCWSvTwBFqcuZlrg7ef5cG6aBpwt kv12vS4+esykij4v3c11jms9186cnl/RQ2S6SRFriRbqL9ksavI5LzE/oc//J9ycjUHO uy9U6WJqPu1DjyLVZJZqopGMQwJcTQNOckTh9VDx0xfzJrT8s6p4CwAbvC1e19ksY+gq 9pMQ== X-Gm-Message-State: AOJu0Yz9mt6Y52PiF2NbkzPadxPtBrmNxTb/3399mXvSKWp68wBkQwJa OuIORfNnd2HUMGrRSuvpR1dcI8Var4mTQ+epxXMOMAamot5cwAeoaISpUrPhYXyW44/SWih2SvJ N1Asp2Ry51ZsyPeSuTvjmgPKzUiz6Z3c+PqBhSG71WOdvM0VGAVatswA6ksJ29iVGAiOXj+6hRY 5cpI2aU5khaw== X-Received: by 2002:a05:6214:e8a:b0:68f:2eab:ad86 with SMTP id hf10-20020a0562140e8a00b0068f2eabad86mr446767qvb.5.1708639150107; Thu, 22 Feb 2024 13:59:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IH5lJKYebjzMWOu0XgecbNN6XvlidqUhZaMTdzDs87XvHiuwyEp1/LLH2oPZKzJdlwFltWhkA== X-Received: by 2002:a05:6214:e8a:b0:68f:2eab:ad86 with SMTP id hf10-20020a0562140e8a00b0068f2eabad86mr446753qvb.5.1708639149794; Thu, 22 Feb 2024 13:59:09 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id na9-20020a0562142d4900b0068f75622543sm865871qvb.1.2024.02.22.13.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 13:59:09 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][PATCH 1/1] dm: limit the number of targets and parameter size area Date: Thu, 22 Feb 2024 16:59:04 -0500 Message-Id: <20240222215905.83786-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240222215905.83786-1-yuxuan.luo@canonical.com> References: <20240222215905.83786-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mikulas Patocka The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot. In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer (cherry picked from commit bd504bcfec41a503b32054da5472904b404341a4) CVE-2024-23851 Signed-off-by: Yuxuan Luo --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 095b9b49aa825..e6757a30dccad 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -22,6 +22,8 @@ #include "dm-ima.h" #define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 struct dm_io; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 21ebb6c39394b..3b8b2e886cf67 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1941,7 +1941,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) { + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { DMERR("Invalid data size in the ioctl structure: %u", param_kernel->data_size); return -EINVAL; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 37b48f63ae6a5..fd84e06670e8d 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -129,7 +129,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, blk_mode_t mode, unsigned int num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL); if (!t) return -ENOMEM; @@ -144,7 +149,7 @@ int dm_table_create(struct dm_table **result, blk_mode_t mode, if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; } if (alloc_targets(t, num_targets)) { From patchwork Thu Feb 22 21:59:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1903004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tgn9g1wvyz23nM for ; Fri, 23 Feb 2024 08:59:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rdH6B-0007Tc-CF; Thu, 22 Feb 2024 21:59:23 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rdH62-0007Rd-Dn for kernel-team@lists.ubuntu.com; Thu, 22 Feb 2024 21:59:14 +0000 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id E58653F44E for ; Thu, 22 Feb 2024 21:59:13 +0000 (UTC) Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-68c50d32297so3940786d6.0 for ; Thu, 22 Feb 2024 13:59:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708639151; x=1709243951; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Jzws+Jn8SRhZZ5HQni4vfcyFnL1qsqkttJEYYkH6LXY=; b=K74jiPGHIjCKj8RI76BIVeZUbmRsW2tKePVV1x49TWzPOcgzDRMw5zNtdmL3JHpAgy tE1aCNvpMYkFLx9ws9RWuHmBp2ZZ31+ome7aF8+Mg7b4cLWHM3YTM+I75E8fNAhY2DUw xM/haqTag+RjqPRY9FVLu9N//bT6PlO8oDKmYWu5wVzhpRv8dpwq4rZOGigyelJ9a8L0 rmwSn70cdIJUZQ+y5fSlBsTBUV4Zvnw6e/xUK82MFC3Oogwf/7vIQSMFzkJItCjceUPP kxvCXzP9Ge3Iq/FnI/HxzBEJKEoKnqZDWDlVMcWTdz1rFv7iIkxIWwN5dTtvBTOVyRqa Oo/g== X-Gm-Message-State: AOJu0Yymxligo1/xzYVkMx3CAi7+WOBUSqcq+yt9CMNnsM9va7nUM1K1 i3uZ8hy6GeX3a60gP1dc174jYt+q0L6OdNupGirqaLI0jPe31b4WgN7+NIZpsP14t5ii+lnFiIB WPlx+8A6+WdkAym78k/t7JSGGkzdfeioPtvDGLMnh/jd1joE6GwZM1s48eQZfW+ffOqH6qk2IPl D2nOynUe21ug== X-Received: by 2002:a0c:8bd1:0:b0:68f:3c36:1b77 with SMTP id a17-20020a0c8bd1000000b0068f3c361b77mr434446qvc.49.1708639151416; Thu, 22 Feb 2024 13:59:11 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxQIbzPstwQk9AaiZCdxQ5TpN2mUrStWBaO5PK1rvwPRsiIBXhBw3r+r3WUGQRXCuxpLYaCQ== X-Received: by 2002:a0c:8bd1:0:b0:68f:3c36:1b77 with SMTP id a17-20020a0c8bd1000000b0068f3c361b77mr434438qvc.49.1708639151106; Thu, 22 Feb 2024 13:59:11 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id na9-20020a0562142d4900b0068f75622543sm865871qvb.1.2024.02.22.13.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 13:59:10 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J][PATCH 2/2] dm: limit the number of targets and parameter size area Date: Thu, 22 Feb 2024 16:59:05 -0500 Message-Id: <20240222215905.83786-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240222215905.83786-1-yuxuan.luo@canonical.com> References: <20240222215905.83786-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mikulas Patocka The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot. In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer (cherry picked from commit bd504bcfec41a503b32054da5472904b404341a4) CVE-2024-23851 Signed-off-by: Yuxuan Luo --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 5a7d270b32c01..eff11df6c32e5 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -21,6 +21,8 @@ #include "dm-ima.h" #define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 struct dm_kobject_holder { struct kobject kobj; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index ec72963b10045..577b6e9199476 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1865,7 +1865,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern if (copy_from_user(param_kernel, user, minimum_data_size)) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) { + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { DMERR("Invalid data size in the ioctl structure: %u", param_kernel->data_size); return -EINVAL; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 46ec4590f62f6..52083d397fc4b 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -126,7 +126,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, fmode_t mode, unsigned num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL); if (!t) return -ENOMEM; @@ -140,7 +145,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode, if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; } if (alloc_targets(t, num_targets)) {