[dm-devel] dm raid: pointer math issue in super_sync()
Mike Snitzer
snitzer at redhat.com
Tue Oct 21 12:48:26 UTC 2014
On Tue, Oct 21 2014 at 8:43am -0400,
Dan Carpenter <dan.carpenter at oracle.com> wrote:
> "sb" is a dm_raid_superblock struct pointer so the pointer math doesn't
> work and we will end up corrupting memory.
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>
> diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
> index b802644..a7cb9dd 100644
> --- a/drivers/md/dm-raid.c
> +++ b/drivers/md/dm-raid.c
> @@ -826,7 +826,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
> test_bit(Faulty, &(rs->dev[i].rdev.flags)))
> failed_devices |= (1ULL << i);
>
> - memset(sb + sizeof(*sb), 0, rdev->sb_size - sizeof(*sb));
> + memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
>
> sb->magic = cpu_to_le32(DM_RAID_MAGIC);
> sb->features = cpu_to_le32(0); /* No features yet */
Not following... sizeof(*sb) != sizeof(sb). So I'm not seeing a
problem.
Nor am I seeing how you think sb + 1 is equivalent to what Heinz
intended (zero the memory following the sizeof(struct dm_raid_superblock)).
More information about the dm-devel
mailing list