| From bc811f05d77f47059c197a98b6ad242eb03999cb Mon Sep 17 00:00:00 2001 |
| From: Jens Axboe <axboe@kernel.dk> |
| Date: Tue, 4 Sep 2018 11:52:34 -0600 |
| Subject: nbd: don't allow invalid blocksize settings |
| |
| From: Jens Axboe <axboe@kernel.dk> |
| |
| commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream. |
| |
| syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl. |
| We need proper validation of the input here. Not just if it's |
| zero, but also if the value is a power-of-2 and in a valid |
| range. Add that. |
| |
| Cc: stable@vger.kernel.org |
| Reported-by: syzbot <syzbot+25dbecbec1e62c6b0dd4@syzkaller.appspotmail.com> |
| Reviewed-by: Josef Bacik <josef@toxicpanda.com> |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/block/nbd.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/block/nbd.c |
| +++ b/drivers/block/nbd.c |
| @@ -1228,6 +1228,9 @@ static int __nbd_ioctl(struct block_devi |
| case NBD_SET_SOCK: |
| return nbd_add_socket(nbd, arg, false); |
| case NBD_SET_BLKSIZE: |
| + if (!arg || !is_power_of_2(arg) || arg < 512 || |
| + arg > PAGE_SIZE) |
| + return -EINVAL; |
| nbd_size_set(nbd, arg, |
| div_s64(config->bytesize, arg)); |
| return 0; |