Hi I've found a bug in dm-integrity - if the user specified tag size greater than HASH_MAX_DIGESTSIZE (and lower or equal than MAX_TAG_SIZE), it crashes if the kmalloc call in integrity_metadata fails. I'm still not sure how to fix it: we can extend the size of the array checksums_onstack (but the extended array takes 424 bytes - which may be too large). Or, we can restrict ic->tag_size to HASH_MAX_DIGESTSIZE, but it may break some existing volumes where the user is using larger tag_size. What do you think would be better? Mikulas From: Mikulas Patocka <mpatocka@xxxxxxxxxx> If the user specifies tag size larger than HASH_MAX_DIGESTSIZE, there's a crash in integrity_metadata. Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx> --- drivers/md/dm-integrity.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: linux-2.6/drivers/md/dm-integrity.c =================================================================== --- linux-2.6.orig/drivers/md/dm-integrity.c 2020-03-19 15:28:14.000000000 +0100 +++ linux-2.6/drivers/md/dm-integrity.c 2020-03-19 15:30:08.000000000 +0100 @@ -1519,7 +1519,7 @@ static void integrity_metadata(struct wo struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); char *checksums; unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0; - char checksums_onstack[HASH_MAX_DIGESTSIZE]; + char checksums_onstack[max(HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; unsigned sectors_to_process = dio->range.n_sectors; sector_t sector = dio->range.logical_sector; -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
