| Message ID | 20230525072041.3701176-1-zhongjinghua@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next,v2] block: Fix the partition start may overflow in add_partition() | expand |
On Thu, May 25, 2023 at 03:20:41PM +0800, Zhong Jinghua wrote: > + if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) > + return -EINVAL; Were zero-length partitions allowed before? - Eric
在 2023/5/26 13:35, Eric Biggers 写道: > On Thu, May 25, 2023 at 03:20:41PM +0800, Zhong Jinghua wrote: >> + if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) >> + return -EINVAL; > Were zero-length partitions allowed before? Before this patch, the io to the zero-length partition failed, I think it is meaningless, and it was fixed by the way > - Eric
diff --git a/block/ioctl.c b/block/ioctl.c index 9c5f637ff153..3223ea862523 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -33,9 +33,16 @@ static int blkpg_do_ioctl(struct block_device *bdev, if (op == BLKPG_DEL_PARTITION) return bdev_del_partition(disk, p.pno); + if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) + return -EINVAL; + start = p.start >> SECTOR_SHIFT; length = p.length >> SECTOR_SHIFT; + /* length may be equal to 0 after right shift */ + if (!length || start + length > get_capacity(bdev->bd_disk)) + return -EINVAL; + switch (op) { case BLKPG_ADD_PARTITION: /* check if partition is aligned to blocksize */
In the blkdev_ioctl, we can pass in the unsigned number 0x8000000000000000 as an input parameter, like below: blkdev_ioctl blkpg_ioctl blkpg_do_ioctl start = p.start >> SECTOR_SHIFT; // start = 0x8000000000000000 >> 9 bdev_add_partition add_partition p->start_sect = start; // start = 0xffc0000000000000 Then, there was an warning when submit bio: submit_bio_noacct submit_bio_checks blk_partition_remap bio->bi_iter.bi_sector += p->start_sect // bio->bi_iter.bi_sector = 0xffc0000000000000 + 0xfc00 .. loop_process_work loop_handle_cmd do_req_filebacked pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset // pos is 0xffc000000000fc00 << 9 lo_rw_aio call_read_iter ext4_dio_read_iter ext4_dio_read_iter iomap_dio_rw __iomap_dio_rw iomap_iter ext4_iomap_begin map.m_lblk = offset >> blkbits // (u32) map.m_lblk is 0xfc00 ext4_set_iomap iomap->offset = (u64) map->m_lblk << blkbits // iomap->offset = 0xfc00 iomap_iter_done WARN_ON_ONCE(iter->iomap.offset > iter->pos); // iomap.offset = 0xfc00 and iter->pos < 0 This is unreasonable for start + length > disk->part0.nr_sects. There is already a similar check in blk_add_partition(). Fix it by adding a check in blkpg_do_ioctl(). Reported-by: Zhihao Cheng <chengzhihao1@huawei.com> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> --- v2: Modify the io stack in commit message. block/ioctl.c | 7 +++++++ 1 file changed, 7 insertions(+)