Commit 8a627d72 authored Jul 22, 2023 by Zhang Shurong Committed by sanglipeng Mar 07, 2024

md: raid1: fix potential OOB in raid1_remove_disk()

stable inclusion
from stable-v5.10.197
commit 7993cfc041481a3a9cd4a3858088fc846b8ccaf7
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7993cfc041481a3a9cd4a3858088fc846b8ccaf7



--------------------------------

[ Upstream commit 8b0472b5 ]

If rddev->raid_disk is greater than mddev->raid_disks, there will be
an out-of-bounds in raid1_remove_disk(). We have already found
similar reports as follows:

1) commit d17f744e ("md-raid10: fix KASAN warning")
2) commit 1ebc2cec ("dm raid: fix KASAN warning in raid5_remove_disk")

Fix this bug by checking whether the "number" variable is
valid.

Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/tencent_0D24426FAC6A21B69AC0C03CE4143A508F09@qq.com


Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent e1eb2cdc

drivers/md/raid1.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1789,6 +1789,10 @@ static int raid1_remove_disk(struct mddev mddev, struct md_rdev rdev)
		struct r1conf *conf = mddev->private;
		int err = 0;
		int number = rdev->raid_disk;

		if (unlikely(number >= conf->raid_disks))
		goto abort;

		struct raid1_info *p = conf->mirrors + number;

		if (rdev != p->rdev)