dm ioctl: fix out of bounds array access when no devices

Mikulas Patocka · snitm · commit 4edbe1d7bcff · 2021-03-26T14:51:50.000-04:00
If there are not any dm devices, we need to zero the "dev" argument in
the first structure dm_name_list. However, this can cause out of
bounds write, because the "needed" variable is zero and len may be
less than eight.

Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
too small to hold the "nl-&gt;dev" value.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer &lt;snitzer@redhat.com&gt;
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
@@ -529,7 +529,7 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_
 	 * Grab our output buffer.
 	 */
 	nl = orig_nl = get_result_buffer(param, param_size, &len);
-	if (len < needed) {
+	if (len < needed || len < sizeof(nl->dev)) {
 		param->flags |= DM_BUFFER_FULL_FLAG;
 		goto out;
 	}

Original file line number	Diff line number	Diff line change
`@@ -529,7 +529,7 @@ static int list_devices(struct file filp, struct dm_ioctl param, size_t param_`
`529`	`529`	`* Grab our output buffer.`
`530`	`530`	`*/`
`531`	`531`	`nl = orig_nl = get_result_buffer(param, param_size, &len);`
`532`		`- if (len < needed) {`
	`532`	`+ if (len < needed \|\| len < sizeof(nl->dev)) {`
`533`	`533`	`param->flags \|= DM_BUFFER_FULL_FLAG;`
`534`	`534`	`goto out;`
`535`	`535`	`}`