Patch "nbd: add the check to prevent overflow in __nbd_ioctl()" has been added to the 5.14-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    nbd: add the check to prevent overflow in __nbd_ioctl()

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9bfa99e9ce9cbe2e4e2761e9710bfda7b3042abe
Author: Baokun Li <libaokun1@xxxxxxxxxx>
Date:   Wed Aug 4 10:12:12 2021 +0800

    nbd: add the check to prevent overflow in __nbd_ioctl()
    
    [ Upstream commit fad7cd3310db3099f95dd34312c77740fbc455e5 ]
    
    If user specify a large enough value of NBD blocks option, it may trigger
    signed integer overflow which may lead to nbd->config->bytesize becomes a
    large or small value, zero in particular.
    
    UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31
    signed integer overflow:
    1024 * 4611686155866341414 cannot be represented in type 'long long int'
    [...]
    Call trace:
    [...]
     handle_overflow+0x188/0x1dc lib/ubsan.c:192
     __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213
     nbd_size_set drivers/block/nbd.c:325 [inline]
     __nbd_ioctl drivers/block/nbd.c:1342 [inline]
     nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395
     __blkdev_driver_ioctl block/ioctl.c:311 [inline]
    [...]
    
    Although it is not a big deal, still silence the UBSAN by limit
    the input value.
    
    Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
    Signed-off-by: Baokun Li <libaokun1@xxxxxxxxxx>
    Reviewed-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210804021212.990223-1-libaokun1@xxxxxxxxxx
    [axboe: dropped unlikely()]
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 19f5d5a8b16a..acf3f85bf3c7 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1388,6 +1388,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
 		       unsigned int cmd, unsigned long arg)
 {
 	struct nbd_config *config = nbd->config;
+	loff_t bytesize;
 
 	switch (cmd) {
 	case NBD_DISCONNECT:
@@ -1402,8 +1403,9 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
 	case NBD_SET_SIZE:
 		return nbd_set_size(nbd, arg, config->blksize);
 	case NBD_SET_SIZE_BLOCKS:
-		return nbd_set_size(nbd, arg * config->blksize,
-				    config->blksize);
+		if (check_mul_overflow((loff_t)arg, config->blksize, &bytesize))
+			return -EINVAL;
+		return nbd_set_size(nbd, bytesize, config->blksize);
 	case NBD_SET_TIMEOUT:
 		nbd_set_cmd_timeout(nbd, arg);
 		return 0;