| Message ID | tencent_0006E4D2C28641498B2ED06ECB8C9BE7D706@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [V4] block: no show partitions if partno corrupted | expand |
diff --git a/block/genhd.c b/block/genhd.c index 9130e163e191..a9a1d5a429aa 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -890,8 +890,12 @@ static int show_partition(struct seq_file *seqf, void *v) rcu_read_lock(); xa_for_each(&sgp->part_tbl, idx, part) { + int partno = bdev_partno(part); + if (!bdev_nr_sectors(part)) continue; + if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS)) + continue; seq_printf(seqf, "%4d %7d %10llu %pg\n", MAJOR(part->bd_dev), MINOR(part->bd_dev), bdev_nr_sectors(part) >> 1, part);
syzbot reported a global-out-of-bounds in number. [1] Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper array. To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS. [1] BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494 Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832 CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 number+0x3be/0xf40 lib/vsprintf.c:494 pointer+0x764/0x1210 lib/vsprintf.c:2484 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846 seq_vprintf fs/seq_file.c:391 [inline] seq_printf+0x172/0x270 fs/seq_file.c:406 show_partition+0x29f/0x3f0 block/genhd.c:905 seq_read_iter+0x969/0xd70 fs/seq_file.c:272 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299 copy_splice_read+0x63a/0xb40 fs/splice.c:365 do_splice_read fs/splice.c:985 [inline] splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089 do_splice_direct_actor fs/splice.c:1207 [inline] do_splice_direct+0x289/0x3e0 fs/splice.c:1233 do_sendfile+0x564/0x8a0 fs/read_write.c:1363 __do_sys_sendfile64 fs/read_write.c:1424 [inline] __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4 Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- V1 -> V2: Add a warning V2 -> V3: replace to WARN_ON_ONCE on a separate line V3 -> V4: add continue block/genhd.c | 4 ++++ 1 file changed, 4 insertions(+)