Skip to content

Commit 8476f84

Browse files
Alexey Dobriyangregkh
Alexey Dobriyan
authored and
gregkh
committed
block: fix integer overflow in BLKSECDISCARD
commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 upstream. I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed Signed-off-by: Alexey Dobriyan <[email protected]> Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183 Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Rajani Kantha <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 1332c6e commit 8476f84

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

block/ioctl.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
115115
return -EINVAL;
116116

117117
filemap_invalidate_lock(inode->i_mapping);
118-
err = truncate_bdev_range(bdev, mode, start, start + len - 1);
118+
err = truncate_bdev_range(bdev, mode, start, end - 1);
119119
if (err)
120120
goto fail;
121121
err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL);
@@ -127,7 +127,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
127127
static int blk_ioctl_secure_erase(struct block_device *bdev, fmode_t mode,
128128
void __user *argp)
129129
{
130-
uint64_t start, len;
130+
uint64_t start, len, end;
131131
uint64_t range[2];
132132
int err;
133133

@@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct block_device *bdev, fmode_t mode,
142142
len = range[1];
143143
if ((start & 511) || (len & 511))
144144
return -EINVAL;
145-
if (start + len > bdev_nr_bytes(bdev))
145+
if (check_add_overflow(start, len, &end) ||
146+
end > bdev_nr_bytes(bdev))
146147
return -EINVAL;
147148

148149
filemap_invalidate_lock(bdev->bd_inode->i_mapping);
149-
err = truncate_bdev_range(bdev, mode, start, start + len - 1);
150+
err = truncate_bdev_range(bdev, mode, start, end - 1);
150151
if (!err)
151152
err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9,
152153
GFP_KERNEL);

0 commit comments

Comments
 (0)