| Message ID | tencent_E820E9DAED3ACC3079BA6F3C2E896FA4950A@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | block: no show partitions if partno corrupted | expand |
On 1/14/25 03:28, Edward Adam Davis wrote: > syzbot reported a global-out-of-bounds in number. [1] > > Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper > array. > > To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS. > > [1] > BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494 > Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832 > > CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x169/0x550 mm/kasan/report.c:489 > kasan_report+0x143/0x180 mm/kasan/report.c:602 > number+0x3be/0xf40 lib/vsprintf.c:494 > pointer+0x764/0x1210 lib/vsprintf.c:2484 > vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846 > seq_vprintf fs/seq_file.c:391 [inline] > seq_printf+0x172/0x270 fs/seq_file.c:406 > show_partition+0x29f/0x3f0 block/genhd.c:905 > seq_read_iter+0x969/0xd70 fs/seq_file.c:272 > proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299 > copy_splice_read+0x63a/0xb40 fs/splice.c:365 > do_splice_read fs/splice.c:985 [inline] > splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089 > do_splice_direct_actor fs/splice.c:1207 [inline] > do_splice_direct+0x289/0x3e0 fs/splice.c:1233 > do_sendfile+0x564/0x8a0 fs/read_write.c:1363 > __do_sys_sendfile64 fs/read_write.c:1424 [inline] > __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4 > Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > block/genhd.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/block/genhd.c b/block/genhd.c > index 9130e163e191..8d539a4a3b37 100644 > --- a/block/genhd.c > +++ b/block/genhd.c > @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v) > > rcu_read_lock(); > xa_for_each(&sgp->part_tbl, idx, part) { > - if (!bdev_nr_sectors(part)) > + int partno = bdev_partno(part); > + > + if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS) > continue; > seq_printf(seqf, "%4d %7d %10llu %pg\n", > MAJOR(part->bd_dev), MINOR(part->bd_dev), Maybe a warning is in order; when we are hitting this issue it means that linux has a limitation on causing it to ignore the (otherwise valid) partition entry. Otherwise looks good. Cheers, Hannes
diff --git a/block/genhd.c b/block/genhd.c index 9130e163e191..8d539a4a3b37 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v) rcu_read_lock(); xa_for_each(&sgp->part_tbl, idx, part) { - if (!bdev_nr_sectors(part)) + int partno = bdev_partno(part); + + if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS) continue; seq_printf(seqf, "%4d %7d %10llu %pg\n", MAJOR(part->bd_dev), MINOR(part->bd_dev),