diff mbox series

block: fix integer overflow in BLKSECDISCARD

Message ID 9e64057f-650a-46d1-b9f7-34af391536ef@p183 (mailing list archive)
State New, archived
Headers show
Series block: fix integer overflow in BLKSECDISCARD | expand

Commit Message

Alexey Dobriyan Sept. 3, 2024, 7:48 p.m. UTC 
I independently rediscovered

	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
	block: fix overflow in blk_ioctl_discard()

but for secure erase.

Same problem:

	uint64_t r[2] = {512, 18446744073709551104ULL};
	ioctl(fd, BLKSECDISCARD, r);

will enter near infinite loop inside blkdev_issue_secure_erase():

	a.out: attempt to access beyond end of device
	loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
	bio_check_eod: 3286214 callbacks suppressed

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 block/ioctl.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Christoph Hellwig Sept. 4, 2024, 4:31 a.m. UTC | #1 
Do you actually have a test setup for BLKSECDISCARD?  Given that
I've been ubable to get anyone to actually help with teting it
we might be better off just removing it..
Alexey Dobriyan Sept. 4, 2024, 11:23 a.m. UTC | #2 
On Tue, Sep 03, 2024 at 09:31:11PM -0700, Christoph Hellwig wrote:
> Do you actually have a test setup for BLKSECDISCARD?

No, of course not. It was "delete every -EOPNOTSUPP" until bug
reproduces.

> Given that
> I've been ubable to get anyone to actually help with teting it
> we might be better off just removing it..
Jens Axboe Sept. 4, 2024, 2:01 p.m. UTC | #3 
On Tue, 03 Sep 2024 22:48:19 +0300, Alexey Dobriyan wrote:
> I independently rediscovered
> 
> 	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
> 	block: fix overflow in blk_ioctl_discard()
> 
> but for secure erase.
> 
> [...]

Applied, thanks!

[1/1] block: fix integer overflow in BLKSECDISCARD
      commit: 697ba0b6ec4ae04afb67d3911799b5e2043b4455

Best regards,
diff mbox series

Patch

--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -126,7 +126,7 @@  static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode,
 		return -EINVAL;
 
 	filemap_invalidate_lock(bdev->bd_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (err)
 		goto fail;
 
@@ -163,7 +163,7 @@  static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode,
 static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
 		void __user *argp)
 {
-	uint64_t start, len;
+	uint64_t start, len, end;
 	uint64_t range[2];
 	int err;
 
@@ -178,11 +178,12 @@  static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
 	len = range[1];
 	if ((start & 511) || (len & 511))
 		return -EINVAL;
-	if (start + len > bdev_nr_bytes(bdev))
+	if (check_add_overflow(start, len, &end) ||
+	    end > bdev_nr_bytes(bdev))
 		return -EINVAL;
 
 	filemap_invalidate_lock(bdev->bd_mapping);
-	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
+	err = truncate_bdev_range(bdev, mode, start, end - 1);
 	if (!err)
 		err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9,
 						GFP_KERNEL);