summaryrefslogtreecommitdiff
path: root/drivers/md/dm-clone-target.c
diff options
context:
space:
mode:
authorNikos Tsironis <ntsironis@arrikto.com>2020-03-27 16:01:09 +0200
committerMike Snitzer <snitzer@redhat.com>2020-03-27 14:41:46 -0400
commitcd481c12269b4d276f1a52eda0ebd419079bfe3a (patch)
treece0a92f40d99c7c2905bd1b6000e23632b5a8219 /drivers/md/dm-clone-target.c
parent4b5142905d4ff58a4b93f7c8eaa7ba829c0a53c9 (diff)
downloadlwn-cd481c12269b4d276f1a52eda0ebd419079bfe3a.tar.gz
lwn-cd481c12269b4d276f1a52eda0ebd419079bfe3a.zip
dm clone: Add overflow check for number of regions
Add overflow check for clone->nr_regions variable, which holds the number of regions of the target. The overflow can occur with sufficiently large devices, if BITS_PER_LONG == 32. E.g., if the region size is 8 sectors (4K), the overflow would occur for device sizes > 34359738360 sectors (~16TB). This could result in multiple device sectors wrongly mapping to the same region number, due to the truncation from 64 bits to 32 bits, which would lead to data corruption. Fixes: 7431b7835f55 ("dm: add clone target") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md/dm-clone-target.c')
-rw-r--r--drivers/md/dm-clone-target.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/drivers/md/dm-clone-target.c b/drivers/md/dm-clone-target.c
index 022dddcad647..6ee85fb3388a 100644
--- a/drivers/md/dm-clone-target.c
+++ b/drivers/md/dm-clone-target.c
@@ -1790,6 +1790,7 @@ error:
static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv)
{
int r;
+ sector_t nr_regions;
struct clone *clone;
struct dm_arg_set as;
@@ -1831,7 +1832,16 @@ static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv)
goto out_with_source_dev;
clone->region_shift = __ffs(clone->region_size);
- clone->nr_regions = dm_sector_div_up(ti->len, clone->region_size);
+ nr_regions = dm_sector_div_up(ti->len, clone->region_size);
+
+ /* Check for overflow */
+ if (nr_regions != (unsigned long)nr_regions) {
+ ti->error = "Too many regions. Consider increasing the region size";
+ r = -EOVERFLOW;
+ goto out_with_source_dev;
+ }
+
+ clone->nr_regions = nr_regions;
r = validate_nr_regions(clone->nr_regions, &ti->error);
if (r)