[dm-devel] [PATCH] dm-integrity: fix a crash with unusually large
Mikulas Patocka
mpatocka at redhat.com
Thu Mar 19 14:39:58 UTC 2020
Hi
I've found a bug in dm-integrity - if the user specified tag size greater
than HASH_MAX_DIGESTSIZE (and lower or equal than MAX_TAG_SIZE), it
crashes if the kmalloc call in integrity_metadata fails.
I'm still not sure how to fix it: we can extend the size of the array
checksums_onstack (but the extended array takes 424 bytes - which may be
too large).
Or, we can restrict ic->tag_size to HASH_MAX_DIGESTSIZE, but it may break
some existing volumes where the user is using larger tag_size.
What do you think would be better?
Mikulas
From: Mikulas Patocka <mpatocka at redhat.com>
If the user specifies tag size larger than HASH_MAX_DIGESTSIZE, there's a
crash in integrity_metadata.
Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
---
drivers/md/dm-integrity.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6/drivers/md/dm-integrity.c
===================================================================
--- linux-2.6.orig/drivers/md/dm-integrity.c 2020-03-19 15:28:14.000000000 +0100
+++ linux-2.6/drivers/md/dm-integrity.c 2020-03-19 15:30:08.000000000 +0100
@@ -1519,7 +1519,7 @@ static void integrity_metadata(struct wo
struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io));
char *checksums;
unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0;
- char checksums_onstack[HASH_MAX_DIGESTSIZE];
+ char checksums_onstack[max(HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
unsigned sectors_to_process = dio->range.n_sectors;
sector_t sector = dio->range.logical_sector;
More information about the dm-devel
mailing list