From patchwork Tue Jul 9 16:28:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 257833 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 5305A2C009A for ; Wed, 10 Jul 2013 02:33:35 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Uwar2-00017Q-DD; Tue, 09 Jul 2013 16:33:28 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Uwalq-0006AU-Aa for kernel-team@lists.ubuntu.com; Tue, 09 Jul 2013 16:28:06 +0000 Received: from bl15-104-132.dsl.telepac.pt ([188.80.104.132] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1Uwalq-0007x6-2s; Tue, 09 Jul 2013 16:28:06 +0000 From: Luis Henriques To: Jiang Liu Subject: [ 3.8.y.z extended stable ] Patch "zram: avoid access beyond the zram device" has been added to staging queue Date: Tue, 9 Jul 2013 17:28:04 +0100 Message-Id: <1373387284-20988-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.1.2 X-Extended-Stable: 3.8 Cc: Greg Kroah-Hartman , kernel-team@lists.ubuntu.com, Jiang Liu X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled zram: avoid access beyond the zram device to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.8.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From ca0e16572c643ca7eab9e231f2dc3fbdce56ca92 Mon Sep 17 00:00:00 2001 From: Jiang Liu Date: Fri, 7 Jun 2013 00:07:26 +0800 Subject: [PATCH] zram: avoid access beyond the zram device commit 12a7ad3b810e77137d0caf97a6dd97591e075b30 upstream. Function valid_io_request() should verify the entire request are within the zram device address range. Otherwise it may cause invalid memory access when accessing/modifying zram->meta->table[index] because the 'index' is out of range. Then it may access non-exist memory, randomly modify memory belong to other subsystems, which is hard to track down. Signed-off-by: Jiang Liu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Luis Henriques --- drivers/staging/zram/zram_drv.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) -- 1.8.1.2 diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c index ff2228e..62f8276 100644 --- a/drivers/staging/zram/zram_drv.c +++ b/drivers/staging/zram/zram_drv.c @@ -461,13 +461,20 @@ out: */ static inline int valid_io_request(struct zram *zram, struct bio *bio) { - if (unlikely( - (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) || - (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) || - (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) { + u64 start, end, bound; + + /* unaligned request */ + if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1))) + return 0; + if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1))) + return 0; + start = bio->bi_sector; + end = start + (bio->bi_size >> SECTOR_SHIFT); + bound = zram->disksize >> SECTOR_SHIFT; + /* out of range range */ + if (unlikely(start >= bound || end >= bound || start > end)) return 0; - } /* I/O request is valid */ return 1;