diff options
| author | Mikulas Patocka <mpatocka@redhat.com> | 2021-03-26 21:32:32 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-03-30 15:40:10 +0300 |
| commit | ba73e621ced58ff4ad1020a140ccb5843da1cb26 (patch) | |
| tree | 67e43616c19db9f1d77576b68c34d20ac13eab5c /drivers | |
| parent | e110c8a8d921dae7011e88ed5cb30c35bef88cd7 (diff) | |
| download | linux-ba73e621ced58ff4ad1020a140ccb5843da1cb26.tar.xz | |
dm ioctl: fix out of bounds array access when no devices
commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream.
If there are not any dm devices, we need to zero the "dev" argument in
the first structure dm_name_list. However, this can cause out of
bounds write, because the "needed" variable is zero and len may be
less than eight.
Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
too small to hold the "nl->dev" value.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/md/dm-ioctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 469453e106d1..2f020401d5ba 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -529,7 +529,7 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_ * Grab our output buffer. */ nl = orig_nl = get_result_buffer(param, param_size, &len); - if (len < needed) { + if (len < needed || len < sizeof(nl->dev)) { param->flags |= DM_BUFFER_FULL_FLAG; goto out; } |