Hello, On Tue, Dec 19, 2023 at 08:55:13PM +0000, Yang, Chenyuan wrote: > Hello, > > We detected another crash bug for the `md` driver implemented in `drivers/md/dm-ioctl.c` and `dm-table.c` by using Syzkaller. This is kind of like "kmalloc bug in ctl_ioctl" but it is related to another CMD value and argument. (`DM_TABLE_LOAD_CMD` and `struct dm_ioctl.target_count`. > > Based on our understanding, this bug is caused by ` n_highs = kvcalloc(num, sizeof(struct dm_target) + sizeof(sector_t), GFP_KERNEL); in `dm-table.c` (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-table.c#L112). This allocates an array with a size over INT_MAX. > > A possible patch is to have a check for the `struct dm_ioctl.target_count`, which is the argument for the `ioctl` with ` DM_TABLE_LOAD_CMD` as the command value. Currently, there is no any check for this argument. > > We reproduced this bug in the latest Linux Kernel (reproducible on 3bd7d748816927202268cb335921f7f68b3ca723 and found on d2f51b3516dade79269ff45eae2a7668ae711b25), and the config for the kernel is attached. > > Here is the log and Syzkaller reproducer. C reproducer is also attached, which can compiled by `gcc -pthread`. (...) Quick note, there's no need to Cc the security list since this was cross-posted to a public list: https://lore.kernel.org/dm-devel/PH7PR11MB5768D4593870E9515DEE6334A097A@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/T/#u Thanks, Willy
