From: Alexey Dobriyan <adobriyan@gmail.com>
Date: Wed, 12 Feb 2020 20:40:27 +0300
Subject: [PATCH] block, zoned: fix integer overflow with BLKRESETZONE et al
References: bsc#1175995,jsc#SLE-15608
Git-commit: 11bde986002c0af67eb92d73321d06baefae7128
Patch-mainline: v5.7-rc1
Check for overflow in addition before checking for end-of-block-device.
Steps to reproduce:
#define _GNU_SOURCE 1
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
typedef unsigned long long __u64;
struct blk_zone_range {
__u64 sector;
__u64 nr_sectors;
};
#define BLKRESETZONE _IOW(0x12, 131, struct blk_zone_range)
int main(void)
{
int fd = open("/dev/nullb0", O_RDWR|O_DIRECT);
struct blk_zone_range zr = {4096, 0xfffffffffffff000ULL};
ioctl(fd, BLKRESETZONE, &zr);
return 0;
}
BUG: KASAN: null-ptr-deref in submit_bio_wait+0x74/0xe0
Write of size 8 at addr 0000000000000040 by task a.out/1590
CPU: 8 PID: 1590 Comm: a.out Not tainted 5.6.0-rc1-00019-g359c92c02bfa #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014
Call Trace:
dump_stack+0x76/0xa0
__kasan_report.cold+0x5/0x3e
kasan_report+0xe/0x20
submit_bio_wait+0x74/0xe0
blkdev_zone_mgmt+0x26f/0x2a0
blkdev_zone_mgmt_ioctl+0x14b/0x1b0
blkdev_ioctl+0xb28/0xe60
block_ioctl+0x69/0x80
ksys_ioctl+0x3af/0xa50
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alexey Dobriyan (SK hynix) <adobriyan@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
block/blk-zoned.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-zoned.c b/block/blk-zoned.c
index ceb9b9df7716..e69b52a49361 100644
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -173,7 +173,7 @@ int blkdev_zone_mgmt(struct block_device *bdev, enum req_opf op,
if (!op_is_zone_mgmt(op))
return -EOPNOTSUPP;
- if (!nr_sectors || end_sector > capacity)
+ if (end_sector <= sector || end_sector > capacity)
/* Out of range */
return -EINVAL;
--
2.16.4