From: Ye Bin yebin10@huawei.com
mainline inclusion from mainline-5.14-rc5 commit b66541422824cf6cf20e9a35112e9cb5d82cdf62 category: bugfix bugzilla: 175849 CVE: NA
-------------------------------------------------
if (!ext4_has_feature_mmp(sb)) then retval can be unitialized before we jump to the wait_to_exit label.
Fixes: 61bb4a1c417e ("ext4: fix possible UAF when remounting r/o a mmp-protected file system") Signed-off-by: Ye Bin yebin10@huawei.com Link: https://lore.kernel.org/r/20210713022728.2533770-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- fs/ext4/mmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c index 5af24925ffa83..0e9569dc02da2 100644 --- a/fs/ext4/mmp.c +++ b/fs/ext4/mmp.c @@ -138,7 +138,7 @@ static int kmmpd(void *data) unsigned mmp_check_interval; unsigned long last_update_time; unsigned long diff; - int retval; + int retval = 0;
mmp_block = le64_to_cpu(es->s_mmp_block); mmp = (struct mmp_struct *)(bh->b_data);
From: Baokun Li libaokun1@huawei.com
hulk inclusion category: bugfix bugzilla: 175174 CVE: NA
-------------------------------------------------
If user specify a large enough value of NBD blocks option, it may trigger signed integer overflow which may lead to nbd->config->bytesize becomes a large or small value, zero in particular.
UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 signed integer overflow: 1024 * 4611686155866341414 cannot be represented in type 'long long int' [...] Call trace: [...] handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 nbd_size_set drivers/block/nbd.c:325 [inline] __nbd_ioctl drivers/block/nbd.c:1342 [inline] nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 __blkdev_driver_ioctl block/ioctl.c:311 [inline] [...]
Although it is not a big deal, still silence the UBSAN by limit the input value.
Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Josef Bacik josef@toxicpanda.com Link: https://lore.kernel.org/r/20210804021212.990223-1-libaokun1@huawei.com [axboe: dropped unlikely()] Signed-off-by: Jens Axboe axboe@kernel.dk
Conflicts: drivers/block/nbd.c
Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/block/nbd.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 01bede097ed25..3a6b46aeacee4 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1327,6 +1327,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, unsigned int cmd, unsigned long arg) { struct nbd_config *config = nbd->config; + loff_t bytesize;
switch (cmd) { case NBD_DISCONNECT: @@ -1349,6 +1350,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, div_s64(arg, config->blksize)); return 0; case NBD_SET_SIZE_BLOCKS: + if (check_mul_overflow((loff_t)arg, config->blksize, &bytesize)) + return -EINVAL; nbd_size_set(nbd, config->blksize, arg); return 0; case NBD_SET_TIMEOUT:
-
Yang Yingliang