block, zoned: fix integer overflow with BLKRESETZONE et al
authorAlexey Dobriyan <adobriyan@gmail.com>
Wed, 12 Feb 2020 17:40:27 +0000 (20:40 +0300)
committerJens Axboe <axboe@kernel.dk>
Thu, 12 Mar 2020 15:10:52 +0000 (09:10 -0600)
Check for overflow in addition before checking for end-of-block-device.

Steps to reproduce:

#define _GNU_SOURCE 1
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

typedef unsigned long long __u64;

struct blk_zone_range {
        __u64 sector;
        __u64 nr_sectors;
};

#define BLKRESETZONE    _IOW(0x12, 131, struct blk_zone_range)

int main(void)
{
        int fd = open("/dev/nullb0", O_RDWR|O_DIRECT);
        struct blk_zone_range zr = {4096, 0xfffffffffffff000ULL};
        ioctl(fd, BLKRESETZONE, &zr);
        return 0;
}

BUG: KASAN: null-ptr-deref in submit_bio_wait+0x74/0xe0
Write of size 8 at addr 0000000000000040 by task a.out/1590

CPU: 8 PID: 1590 Comm: a.out Not tainted 5.6.0-rc1-00019-g359c92c02bfa #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014
Call Trace:
 dump_stack+0x76/0xa0
 __kasan_report.cold+0x5/0x3e
 kasan_report+0xe/0x20
 submit_bio_wait+0x74/0xe0
 blkdev_zone_mgmt+0x26f/0x2a0
 blkdev_zone_mgmt_ioctl+0x14b/0x1b0
 blkdev_ioctl+0xb28/0xe60
 block_ioctl+0x69/0x80
 ksys_ioctl+0x3af/0xa50

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alexey Dobriyan (SK hynix) <adobriyan@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
block/blk-zoned.c

index 05741c6f618be9162cf642faf83cbbc420023fe8..6b442ae96499a7e55384a18376f006ba57088ed6 100644 (file)
@@ -173,7 +173,7 @@ int blkdev_zone_mgmt(struct block_device *bdev, enum req_opf op,
        if (!op_is_zone_mgmt(op))
                return -EOPNOTSUPP;
 
-       if (!nr_sectors || end_sector > capacity)
+       if (end_sector <= sector || end_sector > capacity)
                /* Out of range */
                return -EINVAL;