| Message ID | 20220822211236.9023-3-schmitzmic@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Amiga RDB partition support fixes | expand |
Hi Michael,
I love your patch! Perhaps something to improve:
[auto build test WARNING on axboe-block/for-next]
[also build test WARNING on linus/master v6.0-rc2 next-20220822]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Michael-Schmitz/Amiga-RDB-partition-support-fixes/20220823-051457
base: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-next
config: i386-randconfig-s002 (https://download.01.org/0day-ci/archive/20220823/202208231319.Ng5RTzzg-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-5) 11.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.4-39-gce1a6720-dirty
# https://github.com/intel-lab-lkp/linux/commit/6b86551e8891f07839a8c3ad19e3f770b0f738e9
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Michael-Schmitz/Amiga-RDB-partition-support-fixes/20220823-051457
git checkout 6b86551e8891f07839a8c3ad19e3f770b0f738e9
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=i386 SHELL=/bin/bash block/partitions/
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> block/partitions/amiga.c:132:30: sparse: sparse: cast to restricted __be32
block/partitions/amiga.c:133:25: sparse: sparse: cast to restricted __be32
vim +132 block/partitions/amiga.c
35
36 int amiga_partition(struct parsed_partitions *state)
37 {
38 Sector sect;
39 unsigned char *data;
40 struct RigidDiskBlock *rdb;
41 struct PartitionBlock *pb;
42 u64 start_sect, nr_sects;
43 sector_t blk, end_sect;
44 u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */
45 u32 nr_hd, nr_sect, lo_cyl, hi_cyl;
46 int part, res = 0;
47 unsigned int blksize = 1; /* Multiplier for disk block size */
48 int slot = 1;
49
50 for (blk = 0; ; blk++, put_dev_sector(sect)) {
51 if (blk == RDB_ALLOCATION_LIMIT)
52 goto rdb_done;
53 data = read_part_sector(state, blk, §);
54 if (!data) {
55 pr_err("Dev %s: unable to read RDB block %llu\n",
56 state->disk->disk_name, blk);
57 res = -1;
58 goto rdb_done;
59 }
60 if (*(__be32 *)data != cpu_to_be32(IDNAME_RIGIDDISK))
61 continue;
62
63 rdb = (struct RigidDiskBlock *)data;
64 if (checksum_block((__be32 *)data, be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F) == 0)
65 break;
66 /* Try again with 0xdc..0xdf zeroed, Windows might have
67 * trashed it.
68 */
69 *(__be32 *)(data+0xdc) = 0;
70 if (checksum_block((__be32 *)data,
71 be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) {
72 pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n",
73 blk);
74 break;
75 }
76
77 pr_err("Dev %s: RDB in block %llu has bad checksum\n",
78 state->disk->disk_name, blk);
79 }
80
81 /* blksize is blocks per 512 byte standard block */
82 blksize = be32_to_cpu( rdb->rdb_BlockBytes ) / 512;
83
84 {
85 char tmp[7 + 10 + 1 + 1];
86
87 /* Be more informative */
88 snprintf(tmp, sizeof(tmp), " RDSK (%d)", blksize * 512);
89 strlcat(state->pp_buf, tmp, PAGE_SIZE);
90 }
91 blk = be32_to_cpu(rdb->rdb_PartitionList);
92 put_dev_sector(sect);
93 for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) {
94 /* Read in terms partition table understands */
95 if (check_mul_overflow(blk, (sector_t) blksize, &blk)) {
96 pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n",
97 state->disk->disk_name, blk, part);
98 break;
99 }
100 data = read_part_sector(state, blk, §);
101 if (!data) {
102 pr_err("Dev %s: unable to read partition block %llu\n",
103 state->disk->disk_name, blk);
104 res = -1;
105 goto rdb_done;
106 }
107 pb = (struct PartitionBlock *)data;
108 blk = be32_to_cpu(pb->pb_Next);
109 if (pb->pb_ID != cpu_to_be32(IDNAME_PARTITION))
110 continue;
111 if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 )
112 continue;
113
114 /* RDB gives us more than enough rope to hang ourselves with,
115 * many times over (2^128 bytes if all fields max out).
116 * Some careful checks are in order, so check for potential
117 * overflows.
118 * We are multiplying four 32 bit numbers to one sector_t!
119 */
120
121 nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]);
122 nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]);
123
124 /* CylBlocks is total number of blocks per cylinder */
125 if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) {
126 pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n",
127 state->disk->disk_name, cylblk);
128 continue;
129 }
130
131 /* check for consistency with RDB defined CylBlocks */
> 132 if (cylblk > be32_to_cpu((__be32)rdb->rdb_CylBlocks)) {
diff --git a/block/partitions/amiga.c b/block/partitions/amiga.c index 85c5c79aae48..e28a4b917822 100644 --- a/block/partitions/amiga.c +++ b/block/partitions/amiga.c @@ -11,10 +11,18 @@ #define pr_fmt(fmt) fmt #include <linux/types.h> +#include <linux/mm_types.h> +#include <linux/overflow.h> #include <linux/affs_hardblocks.h> #include "check.h" +/* magic offsets in partition DosEnvVec */ +#define NR_HD 3 +#define NR_SECT 5 +#define LO_CYL 9 +#define HI_CYL 10 + static __inline__ u32 checksum_block(__be32 *m, int size) { @@ -31,9 +39,12 @@ int amiga_partition(struct parsed_partitions *state) unsigned char *data; struct RigidDiskBlock *rdb; struct PartitionBlock *pb; - sector_t start_sect, nr_sects; - int blk, part, res = 0; - int blksize = 1; /* Multiplier for disk block size */ + u64 start_sect, nr_sects; + sector_t blk, end_sect; + u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */ + u32 nr_hd, nr_sect, lo_cyl, hi_cyl; + int part, res = 0; + unsigned int blksize = 1; /* Multiplier for disk block size */ int slot = 1; for (blk = 0; ; blk++, put_dev_sector(sect)) { @@ -41,7 +52,7 @@ int amiga_partition(struct parsed_partitions *state) goto rdb_done; data = read_part_sector(state, blk, §); if (!data) { - pr_err("Dev %s: unable to read RDB block %d\n", + pr_err("Dev %s: unable to read RDB block %llu\n", state->disk->disk_name, blk); res = -1; goto rdb_done; @@ -58,12 +69,12 @@ int amiga_partition(struct parsed_partitions *state) *(__be32 *)(data+0xdc) = 0; if (checksum_block((__be32 *)data, be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) { - pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n", + pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n", blk); break; } - pr_err("Dev %s: RDB in block %d has bad checksum\n", + pr_err("Dev %s: RDB in block %llu has bad checksum\n", state->disk->disk_name, blk); } @@ -80,10 +91,15 @@ int amiga_partition(struct parsed_partitions *state) blk = be32_to_cpu(rdb->rdb_PartitionList); put_dev_sector(sect); for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { - blk *= blksize; /* Read in terms partition table understands */ + /* Read in terms partition table understands */ + if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { + pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", + state->disk->disk_name, blk, part); + break; + } data = read_part_sector(state, blk, §); if (!data) { - pr_err("Dev %s: unable to read partition block %d\n", + pr_err("Dev %s: unable to read partition block %llu\n", state->disk->disk_name, blk); res = -1; goto rdb_done; @@ -95,19 +111,70 @@ int amiga_partition(struct parsed_partitions *state) if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 ) continue; - /* Tell Kernel about it */ + /* RDB gives us more than enough rope to hang ourselves with, + * many times over (2^128 bytes if all fields max out). + * Some careful checks are in order, so check for potential + * overflows. + * We are multiplying four 32 bit numbers to one sector_t! + */ + + nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]); + nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]); + + /* CylBlocks is total number of blocks per cylinder */ + if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) { + pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n", + state->disk->disk_name, cylblk); + continue; + } + + /* check for consistency with RDB defined CylBlocks */ + if (cylblk > be32_to_cpu((__be32)rdb->rdb_CylBlocks)) { + pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n", + state->disk->disk_name, cylblk, + be32_to_cpu(rdb->rdb_CylBlocks)); + } + + /* RDB allows for variable logical block size - + * normalize to 512 byte blocks and check result. + */ + + if (check_mul_overflow(cylblk, blksize, &cylblk)) { + pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n", + state->disk->disk_name, part); + continue; + } + + /* Calculate partition start and end. Limit of 32 bit on cylblk + * guarantees no overflow occurs if LBD support is enabled. + */ + + lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]); + start_sect = ((u64) lo_cyl * cylblk); + + hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]); + nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk); - nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - - be32_to_cpu(pb->pb_Environment[9])) * - be32_to_cpu(pb->pb_Environment[3]) * - be32_to_cpu(pb->pb_Environment[5]) * - blksize; if (!nr_sects) continue; - start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * - be32_to_cpu(pb->pb_Environment[3]) * - be32_to_cpu(pb->pb_Environment[5]) * - blksize; + + /* Warn user if partition end overflows u32 (AmigaDOS limit) */ + + if ((start_sect + nr_sects) > UINT_MAX) { + pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n", + state->disk->disk_name, part, + start_sect, start_sect + nr_sects); + } + + if (check_add_overflow(start_sect, nr_sects, &end_sect)) { + pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n", + state->disk->disk_name, part, + start_sect, end_sect); + continue; + } + + /* Tell Kernel about it */ + put_partition(state,slot++,start_sect,nr_sects); { /* Be even more informative to aid mounting */
The Amiga partition parser module uses signed int for partition sector address and count, which will overflow for disks larger than 1 TB. Use u64 as type for sector address and size to allow using disks up to 2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD format allows to specify disk sizes up to 2^128 bytes (though native OS limitations reduce this somewhat, to max 2^68 bytes), so check for u64 overflow carefully to protect against overflowing sector_t. Bail out if sector addresses overflow 32 bits on kernels without LBD support. This bug was reported originally in 2012, and the fix was created by the RDB author, Joanne Dow <jdow@earthlink.net>. A patch had been discussed and reviewed on linux-m68k at that time but never officially submitted (now resubmitted as separate patch). This patch adds additional error checking and warning messages. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2") Cc: <stable@vger.kernel.org> # 5.2 Reported-by: Martin Steigerwald <Martin@lichtvoll.de> Message-ID: <201206192146.09327.Martin@lichtvoll.de> Signed-off-by: Michael Schmitz <schmitzmic@gmail.com> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org> Reviewed-by: Christoph Hellwig <hch@infradead.org> --- Changes from RFC: - use u64 instead of sector_t, since that may be u32 without LBD support - check multiplication overflows each step - 3 u32 values may exceed u64! - warn against use on AmigaDOS if partition data overflow u32 sector count. - warn if partition CylBlocks larger than what's stored in the RDSK header. - bail out if we were to overflow sector_t (32 or 64 bit). Changes from v1: Kars de Jong: - use defines for magic offsets in DosEnvec struct Geert Uytterhoeven: - use u64 cast for multiplications of u32 numbers - use array3_size for overflow checks - change pr_err to pr_warn - discontinue use of pr_cont - reword log messages - drop redundant nr_sects overflow test - warn against 32 bit overflow for each affected partition - skip partitions that overflow sector_t size instead of aborting scan Changes from v2: - further trim 32 bit overflow test - correct duplicate types.h inclusion introduced in v2 Changes from v3: - split off sector address type fix for independent review - change blksize to unsigned - use check_mul_overflow() instead of array3_size() - rewrite checks to avoid 64 bit divisions in check_mul_overflow() Changes from v5: Geert Uytterhoeven: - correct ineffective u64 cast to avoid 32 bit mult. overflow - fix mult. overflow in partition block address calculation Changes from v6: Geert Uytterhoeven: - don't fail hard on partition block address overflow Changes from v7: - replace bdevname(state->bdev, b) by state->disk->disk_name - drop warn_no_part conditionals - remove remaining warn_no_part Changes from v8: Christoph Hellwig: - whitespace fix, drop unnecessary u64 casts kbuid warning: - sparse warning fix --- block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++------- 1 file changed, 85 insertions(+), 18 deletions(-)