dm ioctl: fix out of bounds array access when no devices

commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. If there are not any dm devices, we need to zero the "dev" argument in the first structure dm_name_list. However, this can cause out of bounds write, because the "needed" variable is zero and len may be less than eight. Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is too small to hold the "nl->dev" value. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer <snitzer@redhat.com> [iwamatsu: Adjust context] Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Mikulas Patocka <mpatocka@redhat.com> 2021-03-26 14:32:32 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-05-22 10:38:29 +0200
commit: 0c0f93fbd20276d65ae0581edfcdc93579aa1dc7 (patch)
tree: f1e59328d2914c8ef13e34a5aa75d865564fef85
parent: f763e65c10480e35d04f0b8d7d7e4646a1a593f1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
 	 * Grab our output buffer.
 	 */
 	nl = get_result_buffer(param, param_size, &len);
-	if (len < needed) {
+	if (len < needed || len < sizeof(nl->dev)) {
 		param->flags |= DM_BUFFER_FULL_FLAG;
 		goto out;
 	}
author	Mikulas Patocka <mpatocka@redhat.com>	2021-03-26 14:32:32 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-05-22 10:38:29 +0200
commit	0c0f93fbd20276d65ae0581edfcdc93579aa1dc7 (patch)
tree	f1e59328d2914c8ef13e34a5aa75d865564fef85
parent	f763e65c10480e35d04f0b8d7d7e4646a1a593f1 (diff)