diff options
author | Ming Lei <ming.lei@redhat.com> | 2021-03-27 15:13:09 +0800 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2021-03-27 09:22:18 -0600 |
commit | e82fc7855749aa197740a60ef22c492c41ea5d5f (patch) | |
tree | 676ffbe3e79759503f9d360c6388483a14313086 /block/partitions/core.c | |
parent | 7de55b7d6f09a2865279d3c41c0fbdbfdb87486a (diff) | |
download | lwn-e82fc7855749aa197740a60ef22c492c41ea5d5f.tar.gz lwn-e82fc7855749aa197740a60ef22c492c41ea5d5f.zip |
block: don't create too many partitions
Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops the
check on max supported number of partitionsr, and allows partition with
bigger partition numbers to be added. However, ->bd_partno is defined as
u8, so partition index of xarray table may not match with ->bd_partno.
Then delete_partition() may delete one unmatched partition, and caused
use-after-free.
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com
Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'block/partitions/core.c')
-rw-r--r-- | block/partitions/core.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/block/partitions/core.c b/block/partitions/core.c index 1a7558917c47..46f055bc7ecb 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -323,6 +323,13 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, int err; /* + * disk_max_parts() won't be zero, either GENHD_FL_EXT_DEVT is set + * or 'minors' is passed to alloc_disk(). + */ + if (partno >= disk_max_parts(disk)) + return ERR_PTR(-EINVAL); + + /* * Partitions are not supported on zoned block devices that are used as * such. */ |