On Sat, 3 Jun 2023, Demi Marie Obenour wrote: > Especially on 32-bit systems, it is possible for the pointer arithmetic > to overflow and cause a userspace pointer to be dereferenced in the > kernel. > > Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Mikulas Patocka <mpatocka@xxxxxxxxxx> > --- > drivers/md/dm-ioctl.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c > index 34fa74c6a70db8aa67aaba3f6a2fc4f38ef736bc..64e8f16d344c47057de5e2d29e3d63202197dca0 100644 > --- a/drivers/md/dm-ioctl.c > +++ b/drivers/md/dm-ioctl.c > @@ -1396,6 +1396,25 @@ static int next_target(struct dm_target_spec *last, uint32_t next, void *end, > { > static_assert(_Alignof(struct dm_target_spec) <= 8, > "struct dm_target_spec has excessive alignment requirements"); > + static_assert(offsetof(struct dm_ioctl, data) >= sizeof(struct dm_target_spec), > + "struct dm_target_spec too big"); > + > + /* > + * Number of bytes remaining, starting with last. This is always > + * sizeof(struct dm_target_spec) or more, as otherwise *last was > + * out of bounds already. > + */ > + size_t remaining = (char *)end - (char *)last; > + > + /* > + * There must be room for both the next target spec and the > + * NUL-terminator of the target itself. > + */ > + if (remaining - sizeof(struct dm_target_spec) <= next) { > + DMERR("Target spec extends beyond end of parameters"); > + return -EINVAL; > + } > + > if (next % 8) { > DMERR("Next target spec (offset %u) is not 8-byte aligned", next); > return -EINVAL; > -- > Sincerely, > Demi Marie Obenour (she/her/hers) > Invisible Things Lab > > -- > dm-devel mailing list > dm-devel@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/dm-devel > -- dm-devel mailing list dm-devel@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/dm-devel