Commit 98fd847a authored Nov 02, 2021 by Yu Kuai Committed by Yang Yingliang Nov 02, 2021

nbd: add sanity check for first_minor

hulk inclusion
category: bugfix
bugzilla: 182920, https://gitee.com/openeuler/kernel/issues/I4GLNX


CVE: NA
---------------------------

When user pass 0x100000 as index, nbd will end up create sysfs dir
"/sys/block/43:0":

nbd_dev_add
 disk->first_minor = index << part_shift
 -> default part_shift is 5, 0x100000 << 5 = 0x2000000
  device_add_disk
   blk_alloc_devt
    MKDEV(disk->major, disk->first_minor + part->partno)
    -> (0x2b << 20) | (0x2000000) = 0x2b00000
   register_disk
    device_add
     device_create_sys_dev_entry
      format_dev_t
       MAJOR(devt) -> 0x2b00000 >> 20 = 0x2b
       MINOR(devt) -> 0x2b00000 & 0xfffff = 0
      sysfs_create_link -> /sys/block/43:0

If nbd created device with index 0 aready, then sysfs will compalin
about dumplicated creation.

On the other hand, the similar dumplicated creation will happen if
"index << part_shift" over flow to a value that is less than MINORMASK.

Thus fix the problem by adding sanity check for first_minor.

Fixes: b0d9111a ("nbd: use an idr to keep track of nbd devices")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

parent f00917fa

drivers/block/nbd.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -1755,7 +1755,18 @@ static int nbd_dev_add(int index)
		refcount_set(&nbd->refs, 1);
		INIT_LIST_HEAD(&nbd->list);
		disk->major = NBD_MAJOR;

		/*
		* Too big index can cause duplicate creation of sysfs files/links,
		* because MKDEV() expect that the max first minor is MINORMASK, or
		* index << part_shift can overflow.
		*/
		disk->first_minor = index << part_shift;
		if (disk->first_minor < index \|\| disk->first_minor > MINORMASK) {
		err = -EINVAL;
		goto out_free_tags;
		}

		disk->fops = &nbd_fops;
		disk->private_data = nbd;
		sprintf(disk->disk_name, "nbd%d", index);