| Message ID | tencent_59C6505725F46EF26BE7B6E8C0363C2A1509@qq.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | md: raid1: fix potential OOB in raid1_remove_disk() | expand |
Hi, 在 2023/07/16 0:11, Zhang Shurong 写道: > If rddev->raid_disk is greater than mddev->raid_disks, there will be > an out-of-bounds in raid1_remove_disk(). We have already found > similar reports as follows: > > 1) commit d17f744e883b ("md-raid10: fix KASAN warning") > 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk") > > Fix this bug by checking whether the "number" variable is > valid. > > Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> > --- > drivers/md/raid1.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c > index dd25832eb045..3e294dc408fa 100644 > --- a/drivers/md/raid1.c > +++ b/drivers/md/raid1.c > @@ -1829,6 +1829,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) > struct r1conf *conf = mddev->private; > int err = 0; > int number = rdev->raid_disk; > + > + if (unlikely(number >= mddev->raid_disks)) > + goto abort; > + This looks correct, but I prefer to use conf->raid_disks directly. Thanks, Kuai > struct raid1_info *p = conf->mirrors + number; > > if (rdev != p->rdev) >
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c index dd25832eb045..3e294dc408fa 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -1829,6 +1829,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) struct r1conf *conf = mddev->private; int err = 0; int number = rdev->raid_disk; + + if (unlikely(number >= mddev->raid_disks)) + goto abort; + struct raid1_info *p = conf->mirrors + number; if (rdev != p->rdev)
If rddev->raid_disk is greater than mddev->raid_disks, there will be an out-of-bounds in raid1_remove_disk(). We have already found similar reports as follows: 1) commit d17f744e883b ("md-raid10: fix KASAN warning") 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk") Fix this bug by checking whether the "number" variable is valid. Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> --- drivers/md/raid1.c | 4 ++++ 1 file changed, 4 insertions(+)