| Message ID | 20210327071309.553557-1-ming.lei@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [V2] block: not create too many partitions | expand |
On 3/27/21 1:13 AM, Ming Lei wrote: > Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops > check on max supported partitions number, and allows partition with > bigger partition number to be added. However, ->bd_partno is defined > as u8, so partition index of xarray table may not match with ->bd_partno. > Then delete_partition() may delete one unmatched partition, and caused > use-after-free. Applied, thanks for nailing this one down, Ming.
On 3/27/21 12:13 AM, Ming Lei wrote: > Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops > check on max supported partitions number, and allows partition with > bigger partition number to be added. However, ->bd_partno is defined > as u8, so partition index of xarray table may not match with ->bd_partno. > Then delete_partition() may delete one unmatched partition, and caused > use-after-free. > > Cc: Bart Van Assche <bvanassche@acm.org> > Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com > Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > V2: > - don't check disk_max_parts() which is supposed to not zero > > block/partitions/core.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/block/partitions/core.c b/block/partitions/core.c > index 1a7558917c47..46f055bc7ecb 100644 > --- a/block/partitions/core.c > +++ b/block/partitions/core.c > @@ -322,6 +322,13 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, > const char *dname; > int err; > > + /* > + * disk_max_parts() won't be zero, either GENHD_FL_EXT_DEVT is set > + * or 'minors' is passed to alloc_disk(). > + */ > + if (partno >= disk_max_parts(disk)) > + return ERR_PTR(-EINVAL); > + > /* > * Partitions are not supported on zoned block devices that are used as > * such. > Reviewed-by: Bart Van Assche <bvanassche@acm.org> Thanks! Bart.
diff --git a/block/partitions/core.c b/block/partitions/core.c index 1a7558917c47..46f055bc7ecb 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -322,6 +322,13 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, const char *dname; int err; + /* + * disk_max_parts() won't be zero, either GENHD_FL_EXT_DEVT is set + * or 'minors' is passed to alloc_disk(). + */ + if (partno >= disk_max_parts(disk)) + return ERR_PTR(-EINVAL); + /* * Partitions are not supported on zoned block devices that are used as * such.
Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops check on max supported partitions number, and allows partition with bigger partition number to be added. However, ->bd_partno is defined as u8, so partition index of xarray table may not match with ->bd_partno. Then delete_partition() may delete one unmatched partition, and caused use-after-free. Cc: Bart Van Assche <bvanassche@acm.org> Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") Signed-off-by: Ming Lei <ming.lei@redhat.com> --- V2: - don't check disk_max_parts() which is supposed to not zero block/partitions/core.c | 7 +++++++ 1 file changed, 7 insertions(+)