diff options
| author | Pavel Skripkin <[email protected]> | 2021-08-12 12:15:01 +0300 |
|---|---|---|
| committer | Jens Axboe <[email protected]> | 2021-08-16 10:56:33 -0600 |
| commit | b1a811633f7321cf1ae2bb76a66805b7720e44c9 (patch) | |
| tree | 48a1a23c5fb4a7cd233322535a1c71019d0529f2 /lib/test_fortify/write_overflow-memcpy.c | |
| parent | 9ea9b9c48387edc101d56349492ad9c0492ff78d (diff) | |
block: nbd: add sanity check for first_minor
Syzbot hit WARNING in internal_create_group(). The problem was in
too big disk->first_minor.
disk->first_minor is initialized by value, which comes from userspace
and there wasn't any sanity checks about value correctness. It can cause
duplicate creation of sysfs files/links, because disk->first_minor will
be passed to MKDEV() which causes truncation to byte. Since maximum
minor value is 0xff, let's check if first_minor is correct minor number.
NOTE: the root case of the reported warning was in wrong error handling
in register_disk(), but we can avoid passing knowingly wrong values to
sysfs API, because sysfs error messages can confuse users. For example:
user passed 1048576 as index, but sysfs complains about duplicate
creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
Log and reproducer for above example can be found on syzkaller bug
report page.
Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1
Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Reported-by: [email protected]
Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Pavel Skripkin <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Diffstat (limited to 'lib/test_fortify/write_overflow-memcpy.c')
0 files changed, 0 insertions, 0 deletions