| Message ID | 20210326085954.474119-1-ming.lei@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block: not create too many partitions | expand |
On Fri, Mar 26, 2021 at 04:59:54PM +0800, Ming Lei wrote: > Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops > check on max supported partitions number, and allows partition with > bigger partition number to be added. However, ->bd_partno is defined > as u8, so partition index of xarray table may not match with ->bd_partno. > Then delete_partition() may delete one unmatched partition, and caused > use-after-free. > > Cc: Bart Van Assche <bvanassche@acm.org> > Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com > Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > Another fix is to define ->bd_partno as u32, not sure if we need to > support so many partitions. > > block/partitions/core.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/block/partitions/core.c b/block/partitions/core.c > index 1a7558917c47..933d47105b64 100644 > --- a/block/partitions/core.c > +++ b/block/partitions/core.c > @@ -322,6 +322,10 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, > const char *dname; > int err; > > + /* disk_max_parts() is zero during initialization, ignore if so */ > + if (disk_max_parts(disk) && (partno + 1) > disk_max_parts(disk)) > + return ERR_PTR(-EINVAL); disk->minors is set in __alloc_disk_node, so AFAICS it can't ever be 0 when add_partition is called. So I think this should be just: if (partno >= disk_max_parts(disk)) return ERR_PTR(-EINVAL); otherwise this looks good.
diff --git a/block/partitions/core.c b/block/partitions/core.c index 1a7558917c47..933d47105b64 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -322,6 +322,10 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, const char *dname; int err; + /* disk_max_parts() is zero during initialization, ignore if so */ + if (disk_max_parts(disk) && (partno + 1) > disk_max_parts(disk)) + return ERR_PTR(-EINVAL); + /* * Partitions are not supported on zoned block devices that are used as * such.
Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops check on max supported partitions number, and allows partition with bigger partition number to be added. However, ->bd_partno is defined as u8, so partition index of xarray table may not match with ->bd_partno. Then delete_partition() may delete one unmatched partition, and caused use-after-free. Cc: Bart Van Assche <bvanassche@acm.org> Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") Signed-off-by: Ming Lei <ming.lei@redhat.com> --- Another fix is to define ->bd_partno as u32, not sure if we need to support so many partitions. block/partitions/core.c | 4 ++++ 1 file changed, 4 insertions(+)