dm ioctl: Avoid pointer arithmetic overflow

Especially on 32-bit systems, it is possible for the pointer arithmetic to overflow and cause a userspace pointer to be dereferenced in the kernel. Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> Reviewed-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Mike Snitzer <snitzer@kernel.org>

dm ioctl: Avoid pointer arithmetic overflow
Especially on 32-bit systems, it is possible for the pointer arithmetic to overflow and cause a userspace pointer to be dereferenced in the kernel. Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> Reviewed-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Mike Snitzer <snitzer@kernel.org>
13f4a697 · Demi Marie Obenour · Mike Snitzer · b60528d9 · 13f4a697
Commit 13f4a697 authored Jun 03, 2023 by Demi Marie Obenour Committed by Mike Snitzer Jun 23, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

drivers/md/dm-ioctl.c drivers/md/dm-ioctl.c +16 -0

No files found.
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1397,6 +1397,22 @@ static int next_target(struct dm_target_spec *last, uint32_t next, void *end,
 	static_assert(__alignof__(struct dm_target_spec) <= 8,
 		"struct dm_target_spec must not require more than 8-byte alignment");

+	/*
+	 * Number of bytes remaining, starting with last. This is always
+	 * sizeof(struct dm_target_spec) or more, as otherwise *last was
+	 * out of bounds already.
+	 */
+	size_t remaining = (char *)end - (char *)last;
+
+	/*
+	 * There must be room for both the next target spec and the
+	 * NUL-terminator of the target itself.
+	 */
+	if (remaining - sizeof(struct dm_target_spec) <= next) {
+		DMERR("Target spec extends beyond end of parameters");
+		return -EINVAL;
+	}
+
 	if (next % __alignof__(struct dm_target_spec)) {
 		DMERR("Next dm_target_spec (offset %u) is not %zu-byte aligned",
 		      next, __alignof__(struct dm_target_spec));