[PATCH openEuler-1.0-LTS] md/raid10: fix wrong setting of max_corr_read_errors
From: Li Nan <linan122@huawei.com> stable inclusion from stable-v4.19.291 commit 025fde32fb957a5c271711bc66841f817ff5f299 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYBXF CVE: CVE-2023-53313 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... ------------------ [ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] There is no input check when echo md/max_read_errors and overflow might occur. Add check of input number. Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") Signed-off-by: Li Nan <linan122@huawei.com> Reviewed-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/md/md.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/md/md.c b/drivers/md/md.c index 73ac6e6fee35..809ad01abefd 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -4430,6 +4430,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len rv = kstrtouint(buf, 10, &n); if (rv < 0) return rv; + if (n > INT_MAX) + return -EINVAL; atomic_set(&mddev->max_corr_read_errors, n); return len; } -- 2.39.2
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/18207 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/BGN... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/18207 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/BGN...
participants (2)
-
patchwork bot -
Zheng Qixing