Hi,
Pinging for review since there has been no activity on this
patch for some time.
Thank you,
Shreyansh Chouhan
On Sat, Jun 26, 2021 at 01:54:06PM +0530, Shreyansh Chouhan wrote:
>
> loop_validate_block_size took an unsigned short argument. Passing an
> argument with size greater than the size of unsigned short would cause
> an overflow and could potentially render the upper bound check on the
> block size useless, allowing to set an arbitrarily large block size.
>
> Reported-by: syzbot+cf89d662483d6a1a0790@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@xxxxxxxxx>
> ---
>
> Changes from v1: Fixed the spelling of reported-by tag. Fixed the
> commit message.
>
> drivers/block/loop.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 9a758cf66507..635baff0dd66 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -236,7 +236,7 @@ static void __loop_update_dio(struct loop_device *lo, bool dio)
> * @bsize: size to validate
> */
> static int
> -loop_validate_block_size(unsigned short bsize)
> +loop_validate_block_size(unsigned long bsize)
> {
> if (bsize < 512 || bsize > PAGE_SIZE || !is_power_of_2(bsize))
> return -EINVAL;
> --
> 2.31.1
>
