Skip to content

Commit 33698bd

Browse files
avasummergregkh
avasummer
authored and
gregkh
committed
md/raid5: validate payload size before accessing journal metadata
commit b0cc3ae upstream. r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing. Fixes: b4c625c ("md/r5cache: r5cache recovery: part 1") Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://lore.kernel.org/linux-raid/SYBPR01MB78815E78D829BB86CD7C8015AF5FA@SYBPR01MB7881.ausprd01.prod.outlook.com/ Signed-off-by: Yu Kuai <yukuai@fnnas.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 0988059 commit 33698bd

1 file changed

Lines changed: 33 additions & 15 deletions

File tree

drivers/md/raid5-cache.c

Lines changed: 33 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2010,15 +2010,27 @@ r5l_recovery_verify_data_checksum_for_mb(struct r5l_log *log,
20102010
return -ENOMEM;
20112011

20122012
while (mb_offset < le32_to_cpu(mb->meta_size)) {
2013+
sector_t payload_len;
2014+
20132015
payload = (void *)mb + mb_offset;
20142016
payload_flush = (void *)mb + mb_offset;
20152017

20162018
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) {
2019+
payload_len = sizeof(struct r5l_payload_data_parity) +
2020+
(sector_t)sizeof(__le32) *
2021+
(le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
2022+
if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
2023+
goto mismatch;
20172024
if (r5l_recovery_verify_data_checksum(
20182025
log, ctx, page, log_offset,
20192026
payload->checksum[0]) < 0)
20202027
goto mismatch;
20212028
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) {
2029+
payload_len = sizeof(struct r5l_payload_data_parity) +
2030+
(sector_t)sizeof(__le32) *
2031+
(le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
2032+
if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
2033+
goto mismatch;
20222034
if (r5l_recovery_verify_data_checksum(
20232035
log, ctx, page, log_offset,
20242036
payload->checksum[0]) < 0)
@@ -2031,22 +2043,18 @@ r5l_recovery_verify_data_checksum_for_mb(struct r5l_log *log,
20312043
payload->checksum[1]) < 0)
20322044
goto mismatch;
20332045
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
2034-
/* nothing to do for R5LOG_PAYLOAD_FLUSH here */
2046+
payload_len = sizeof(struct r5l_payload_flush) +
2047+
(sector_t)le32_to_cpu(payload_flush->size);
2048+
if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
2049+
goto mismatch;
20352050
} else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
20362051
goto mismatch;
20372052

2038-
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
2039-
mb_offset += sizeof(struct r5l_payload_flush) +
2040-
le32_to_cpu(payload_flush->size);
2041-
} else {
2042-
/* DATA or PARITY payload */
2053+
if (le16_to_cpu(payload->header.type) != R5LOG_PAYLOAD_FLUSH) {
20432054
log_offset = r5l_ring_add(log, log_offset,
20442055
le32_to_cpu(payload->size));
2045-
mb_offset += sizeof(struct r5l_payload_data_parity) +
2046-
sizeof(__le32) *
2047-
(le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
20482056
}
2049-
2057+
mb_offset += payload_len;
20502058
}
20512059

20522060
put_page(page);
@@ -2097,6 +2105,7 @@ r5c_recovery_analyze_meta_block(struct r5l_log *log,
20972105
log_offset = r5l_ring_add(log, ctx->pos, BLOCK_SECTORS);
20982106

20992107
while (mb_offset < le32_to_cpu(mb->meta_size)) {
2108+
sector_t payload_len;
21002109
int dd;
21012110

21022111
payload = (void *)mb + mb_offset;
@@ -2105,6 +2114,12 @@ r5c_recovery_analyze_meta_block(struct r5l_log *log,
21052114
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
21062115
int i, count;
21072116

2117+
payload_len = sizeof(struct r5l_payload_flush) +
2118+
(sector_t)le32_to_cpu(payload_flush->size);
2119+
if (mb_offset + payload_len >
2120+
le32_to_cpu(mb->meta_size))
2121+
return -EINVAL;
2122+
21082123
count = le32_to_cpu(payload_flush->size) / sizeof(__le64);
21092124
for (i = 0; i < count; ++i) {
21102125
stripe_sect = le64_to_cpu(payload_flush->flush_stripes[i]);
@@ -2118,12 +2133,17 @@ r5c_recovery_analyze_meta_block(struct r5l_log *log,
21182133
}
21192134
}
21202135

2121-
mb_offset += sizeof(struct r5l_payload_flush) +
2122-
le32_to_cpu(payload_flush->size);
2136+
mb_offset += payload_len;
21232137
continue;
21242138
}
21252139

21262140
/* DATA or PARITY payload */
2141+
payload_len = sizeof(struct r5l_payload_data_parity) +
2142+
(sector_t)sizeof(__le32) *
2143+
(le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
2144+
if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
2145+
return -EINVAL;
2146+
21272147
stripe_sect = (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) ?
21282148
raid5_compute_sector(
21292149
conf, le64_to_cpu(payload->location), 0, &dd,
@@ -2188,9 +2208,7 @@ r5c_recovery_analyze_meta_block(struct r5l_log *log,
21882208
log_offset = r5l_ring_add(log, log_offset,
21892209
le32_to_cpu(payload->size));
21902210

2191-
mb_offset += sizeof(struct r5l_payload_data_parity) +
2192-
sizeof(__le32) *
2193-
(le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
2211+
mb_offset += payload_len;
21942212
}
21952213

21962214
return 0;

0 commit comments

Comments
 (0)