Patchwork [3.11,173/208] dm table: fail dm_table_create on dm_round_up overflow

login
register
mail settings
Submitter Luis Henriques
Date Dec. 19, 2013, 11:54 a.m.
Message ID <1387454106-19326-174-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/303469/
State New
Headers show

Comments

Luis Henriques - Dec. 19, 2013, 11:54 a.m.
3.11.10.2 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream.

The dm_round_up function may overflow to zero.  In this case,
dm_table_create() must fail rather than go on to allocate an empty array
with alloc_targets().

This fixes a possible memory corruption that could be caused by passing
too large a number in "param->target_count".

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/md/dm-table.c | 5 +++++
 1 file changed, 5 insertions(+)

Patch

diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index bbd7369..d502fb6 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -200,6 +200,11 @@  int dm_table_create(struct dm_table **result, fmode_t mode,
 
 	num_targets = dm_round_up(num_targets, KEYS_PER_NODE);
 
+	if (!num_targets) {
+		kfree(t);
+		return -ENOMEM;
+	}
+
 	if (alloc_targets(t, num_targets)) {
 		kfree(t);
 		return -ENOMEM;