md: avoid signed overflow in slot_store()

Message ID	167805578596.8008.14753053536858832084@noble.neil.brown.name (mailing list archive)
State	Accepted, archived
Delegated to:	Song Liu
Headers	show Return-Path: <linux-raid-owner@vger.kernel.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 From: "NeilBrown" <neilb@suse.de> To: Song Liu <song@kernel.org>, Dan Carpenter <error27@gmail.com> Cc: linux-raid@vger.kernel.org Subject: [PATCH] md: avoid signed overflow in slot_store() Date: Mon, 06 Mar 2023 09:36:25 +1100 Message-id: <167805578596.8008.14753053536858832084@noble.neil.brown.name> Precedence: bulk
Series	md: avoid signed overflow in slot_store() \| expand md: avoid signed overflow in slot_store()

Message ID

167805578596.8008.14753053536858832084@noble.neil.brown.name (mailing list archive)

State

Accepted, archived

Delegated to:

Song Liu

Headers

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
From: "NeilBrown" <neilb@suse.de>
To: Song Liu <song@kernel.org>, Dan Carpenter <error27@gmail.com>
Cc: linux-raid@vger.kernel.org
Subject: [PATCH] md: avoid signed overflow in slot_store()
Date: Mon, 06 Mar 2023 09:36:25 +1100
Message-id: <167805578596.8008.14753053536858832084@noble.neil.brown.name>
Precedence: bulk

Series

md: avoid signed overflow in slot_store() | expand

Commit Message

NeilBrown March 5, 2023, 10:36 p.m. UTC

slot_store() uses kstrtouint() to get a slot number, but stores the
result in an "int" variable (by casting a pointer).
This can result in a negative slot number if the unsigned int value is
very large.

A negative number means that the slot is empty, but setting a negative
slot number this way will not remove the device from the array.  I don't
think this is a serious problem, but it could cause confusion and it is
best to fix it.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
---
 drivers/md/md.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Song Liu March 13, 2023, 8:26 p.m. UTC | #1

On Sun, Mar 5, 2023 at 2:36 PM NeilBrown <neilb@suse.de> wrote:
>
>
> slot_store() uses kstrtouint() to get a slot number, but stores the
> result in an "int" variable (by casting a pointer).
> This can result in a negative slot number if the unsigned int value is
> very large.
>
> A negative number means that the slot is empty, but setting a negative
> slot number this way will not remove the device from the array.  I don't
> think this is a serious problem, but it could cause confusion and it is
> best to fix it.
>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: NeilBrown <neilb@suse.de>

Applied to md-fixes. Thanks!

Song

> ---
>  drivers/md/md.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 02b0240e7c71..d4bfa35fb20a 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3131,6 +3131,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
>                 err = kstrtouint(buf, 10, (unsigned int *)&slot);
>                 if (err < 0)
>                         return err;
> +               if (slot < 0)
> +                       /* overflow */
> +                       return -ENOSPC;
>         }
>         if (rdev->mddev->pers && slot == -1) {
>                 /* Setting 'slot' on an active array requires also
> --
> 2.39.2
>

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 02b0240e7c71..d4bfa35fb20a 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3131,6 +3131,9 @@  slot_store(struct md_rdev *rdev, const char *buf, size_t len)
 		err = kstrtouint(buf, 10, (unsigned int *)&slot);
 		if (err < 0)
 			return err;
+		if (slot < 0)
+			/* overflow */
+			return -ENOSPC;
 	}
 	if (rdev->mddev->pers && slot == -1) {
 		/* Setting 'slot' on an active array requires also

md: avoid signed overflow in slot_store()

Commit Message

Comments

Patch