| From d1681ab9a05010afc28b1059b0c21fa941ebe7eb Mon Sep 17 00:00:00 2001 |
| From: Mikulas Patocka <mpatocka@redhat.com> |
| Date: Sun, 22 Mar 2020 20:42:21 +0100 |
| Subject: [PATCH] dm integrity: fix a crash with unusually large tag size |
| |
| commit b93b6643e9b5a7f260b931e97f56ffa3fa65e26d upstream. |
| |
| If the user specifies tag size larger than HASH_MAX_DIGESTSIZE, |
| there's a crash in integrity_metadata(). |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> |
| Signed-off-by: Mike Snitzer <snitzer@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c |
| index bdefb9548886..aeed9d827315 100644 |
| --- a/drivers/md/dm-integrity.c |
| +++ b/drivers/md/dm-integrity.c |
| @@ -1501,7 +1501,7 @@ static void integrity_metadata(struct work_struct *w) |
| struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); |
| char *checksums; |
| unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0; |
| - char checksums_onstack[HASH_MAX_DIGESTSIZE]; |
| + char checksums_onstack[max((size_t)HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; |
| unsigned sectors_to_process = dio->range.n_sectors; |
| sector_t sector = dio->range.logical_sector; |
| |
| @@ -1730,7 +1730,7 @@ static bool __journal_read_write(struct dm_integrity_io *dio, struct bio *bio, |
| } while (++s < ic->sectors_per_block); |
| #ifdef INTERNAL_VERIFY |
| if (ic->internal_hash) { |
| - char checksums_onstack[max(HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; |
| + char checksums_onstack[max((size_t)HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; |
| |
| integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack); |
| if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { |
| -- |
| 2.7.4 |
| |