Hello, On Tue, Dec 19, 2023 at 08:55:13PM +0000, Yang, Chenyuan wrote: > Hello, > > We detected another crash bug for the `md` driver implemented in > `drivers/md/dm-ioctl.c` and `dm-table.c` by using Syzkaller. This is kind of > like "kmalloc bug in ctl_ioctl" but it is related to another CMD value and > argument. (`DM_TABLE_LOAD_CMD` and `struct dm_ioctl.target_count`. > > Based on our understanding, this bug is caused by ` n_highs = kvcalloc(num, > sizeof(struct dm_target) + sizeof(sector_t), GFP_KERNEL); in `dm-table.c` > (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-table.c#L112). > This allocates an array with a size over INT_MAX. > > A possible patch is to have a check for the `struct dm_ioctl.target_count`, > which is the argument for the `ioctl` with ` DM_TABLE_LOAD_CMD` as the > command value. Currently, there is no any check for this argument. > > We reproduced this bug in the latest Linux Kernel (reproducible on > 3bd7d748816927202268cb335921f7f68b3ca723 and found on > d2f51b3516dade79269ff45eae2a7668ae711b25), and the config for the kernel is > attached. > > Here is the log and Syzkaller reproducer. C reproducer is also attached, > which can compiled by `gcc -pthread`. (...)
Quick note, there's no need to Cc the security list since this was cross-posted to a public list: https://lore.kernel.org/dm-devel/ph7pr11mb5768d4593870e9515dee6334a0...@ph7pr11mb5768.namprd11.prod.outlook.com/T/#u Thanks, Willy
