From: Christoph Hellwig hch@lst.de
stable inclusion from stable-v6.6.33 commit 910717920c8c3f9386277a44c44d448058a18084 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG8 CVE: CVE-2024-38604
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 0c12028aec837f5a002009bbf68d179d506510e8 ]
blkdev_iomap_begin rounds down the offset to the logical block size before stashing it in iomap->offset and checking that it still is inside the inode size.
Check the i_size check to the raw pos value so that we don't try a zero size write if iter->pos is unaligned.
Fixes: 487c607df790 ("block: use iomap for writes to block devices") Reported-by: syzbot+0a3683a0a6fecf909244@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig hch@lst.de Tested-by: syzbot+0a3683a0a6fecf909244@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20240503081042.2078062-1-hch@lst.de Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Li Nan linan122@huawei.com --- block/fops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/fops.c b/block/fops.c index 7e921f999182..33b724b1d963 100644 --- a/block/fops.c +++ b/block/fops.c @@ -387,7 +387,7 @@ static int blkdev_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
iomap->bdev = bdev; iomap->offset = ALIGN_DOWN(offset, bdev_logical_block_size(bdev)); - if (iomap->offset >= isize) + if (offset >= isize) return -EIO; iomap->type = IOMAP_MAPPED; iomap->addr = iomap->offset;