This is the fix of CVE-2024-23851 for kernel v6.1.
Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404...
Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument is not affected by the patch.
He Gao (1): dm: limit the number of targets and parameter size area
drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-)
[ Upstream commit bd504bcfec41a503b32054da5472904b404341a4 ]
The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot.
In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824.
Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka mpatocka@redhat.com Signed-off-by: Mike Snitzer snitzer@kernel.org Signed-off-by: He Gao hegao@google.com --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 71dcd8fd4050..6314210d3697 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -21,6 +21,8 @@ #include "dm-ima.h"
#define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024
struct dm_io;
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 206e6ce554dc..4376754816ab 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1877,7 +1877,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern minimum_data_size - sizeof(param_kernel->version))) return -EFAULT;
- if (param_kernel->data_size < minimum_data_size) { + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { DMERR("Invalid data size in the ioctl structure: %u", param_kernel->data_size); return -EINVAL; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index dac6a5f25f2b..e0367a672eab 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -128,7 +128,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, fmode_t mode, unsigned int num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL);
if (!t) return -ENOMEM; @@ -143,7 +148,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; }
if (alloc_targets(t, num_targets)) {
On Tue, Feb 20, 2024 at 11:23:38PM +0000, He Gao wrote:
This is the fix of CVE-2024-23851 for kernel v6.1.
Upstream commit: https://github.com/torvalds/linux/commit/bd504bcfec41a503b32054da5472904b404...
Changed argument name "blk_mode_t" back to "fmode_t" for the old version. The argument is not affected by the patch.
What needed to be changed? The original applied just fine.
And what about 6.6.y and 6.7.y?
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
He Gao