Commit 4c995612 authored by Heinz Mauelshagen's avatar Heinz Mauelshagen Committed by Yuan Can
Browse files

dm raid: fix accesses beyond end of raid member array 

stable inclusion
from stable-v4.19.251
commit df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP60S
CVE: CVE-2022-49674

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85



--------------------------------

commit 332bd077 upstream.

On dm-raid table load (using raid_ctr), dm-raid allocates an array
rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
is defined by the number of raid metadata and image tupples passed
into the target's constructor.

In the case of RAID layout changes being requested, that number can be
different from the current number of members for existing raid sets as
defined in their superblocks. Example RAID layout changes include:
- raid1 legs being added/removed
- raid4/5/6/10 number of stripes changed (stripe reshaping)
- takeover to higher raid level (e.g. raid5 -> raid6)

When accessing array members, rs->raid_disks must be used in control
loops instead of the potentially larger value in rs->md.raid_disks.
Otherwise it will cause memory access beyond the end of the rs->devs
array.

Fix this by changing code that is prone to out-of-bounds access.
Also fix validate_raid_redundancy() to validate all devices that are
added. Also, use braces to help clean up raid_iterate_devices().

The out-of-bounds memory accesses was discovered using KASAN.

This commit was verified to pass all LVM2 RAID tests (with KASAN
enabled).

Cc: stable@vger.kernel.org
Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
parent bf266d80

drivers/md/dm-raid.c

+18 −16
Original line number Diff line number Diff line
@@ -998,12 +998,13 @@ static int validate_region_size(struct raid_set *rs, unsigned long region_size) 
static int validate_raid_redundancy(struct raid_set *rs)

{

	unsigned int i, rebuild_cnt = 0;

	unsigned int rebuilds_per_group = 0, copies;

	unsigned int rebuilds_per_group = 0, copies, raid_disks;

	unsigned int group_size, last_group_start;



	for (i = 0; i < rs->md.raid_disks; i++)

		if (!test_bit(In_sync, &rs->dev[i].rdev.flags) ||

		    !rs->dev[i].rdev.sb_page)

	for (i = 0; i < rs->raid_disks; i++)

		if (!test_bit(FirstUse, &rs->dev[i].rdev.flags) &&

		    ((!test_bit(In_sync, &rs->dev[i].rdev.flags) ||

		      !rs->dev[i].rdev.sb_page)))

			rebuild_cnt++;



	switch (rs->md.level) {
@@ -1043,8 +1044,9 @@ static int validate_raid_redundancy(struct raid_set *rs) 
		 *	    A	 A    B	   B	C

		 *	    C	 D    D	   E	E

		 */

		raid_disks = min(rs->raid_disks, rs->md.raid_disks);

		if (__is_raid10_near(rs->md.new_layout)) {

			for (i = 0; i < rs->md.raid_disks; i++) {

			for (i = 0; i < raid_disks; i++) {

				if (!(i % copies))

					rebuilds_per_group = 0;

				if ((!rs->dev[i].rdev.sb_page ||
@@ -1067,10 +1069,10 @@ static int validate_raid_redundancy(struct raid_set *rs) 
		 * results in the need to treat the last (potentially larger)

		 * set differently.

		 */

		group_size = (rs->md.raid_disks / copies);

		last_group_start = (rs->md.raid_disks / group_size) - 1;

		group_size = (raid_disks / copies);

		last_group_start = (raid_disks / group_size) - 1;

		last_group_start *= group_size;

		for (i = 0; i < rs->md.raid_disks; i++) {

		for (i = 0; i < raid_disks; i++) {

			if (!(i % copies) && !(i > last_group_start))

				rebuilds_per_group = 0;

			if ((!rs->dev[i].rdev.sb_page ||
@@ -1585,7 +1587,7 @@ static sector_t __rdev_sectors(struct raid_set *rs) 
{

	int i;



	for (i = 0; i < rs->md.raid_disks; i++) {

	for (i = 0; i < rs->raid_disks; i++) {

		struct md_rdev *rdev = &rs->dev[i].rdev;



		if (!test_bit(Journal, &rdev->flags) &&
@@ -3748,13 +3750,13 @@ static int raid_iterate_devices(struct dm_target *ti, 
	unsigned int i;

	int r = 0;



	for (i = 0; !r && i < rs->md.raid_disks; i++)

		if (rs->dev[i].data_dev)

			r = fn(ti,

				 rs->dev[i].data_dev,

	for (i = 0; !r && i < rs->raid_disks; i++) {

		if (rs->dev[i].data_dev) {

			r = fn(ti, rs->dev[i].data_dev,

			       0, /* No offset on data devs */

				 rs->md.dev_sectors,

				 data);

			       rs->md.dev_sectors, data);

		}

	}



	return r;

}