dm ioctl: fix out of bounds array access when no devices
commit 4edbe1d7bc
upstream.
If there are not any dm devices, we need to zero the "dev" argument in
the first structure dm_name_list. However, this can cause out of
bounds write, because the "needed" variable is zero and len may be
less than eight.
Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
too small to hold the "nl->dev" value.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[iwamatsu: Adjust context]
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
committed by
Greg Kroah-Hartman
parent
2da11226aa
commit
c13f073416
@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
|
|||||||
* Grab our output buffer.
|
* Grab our output buffer.
|
||||||
*/
|
*/
|
||||||
nl = get_result_buffer(param, param_size, &len);
|
nl = get_result_buffer(param, param_size, &len);
|
||||||
if (len < needed) {
|
if (len < needed || len < sizeof(nl->dev)) {
|
||||||
param->flags |= DM_BUFFER_FULL_FLAG;
|
param->flags |= DM_BUFFER_FULL_FLAG;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user