dm ioctl: fix out of bounds array access when no devices

commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. If there are not any dm devices, we need to zero the "dev" argument in the first structure dm_name_list. However, this can cause out of bounds write, because the "needed" variable is zero and len may be less than eight. Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is too small to hold the "nl->dev" value. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Mikulas Patocka <mpatocka@redhat.com> 2021-03-26 14:32:32 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-30 14:36:59 +0200
commit: 76aa61c55279fdaa8d428236ba8834edf313b372 (patch)
tree: becd6b4a86ea2772c8b704c2f21a1104362b9aa9
parent: 0f436dff2fadbec77ce759f18caab276e8bad53b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 439277f48ff8..17cbad58834f 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -529,7 +529,7 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_
 	 * Grab our output buffer.
 	 */
 	nl = orig_nl = get_result_buffer(param, param_size, &len);
-	if (len < needed) {
+	if (len < needed || len < sizeof(nl->dev)) {
 		param->flags |= DM_BUFFER_FULL_FLAG;
 		goto out;
 	}
author	Mikulas Patocka <mpatocka@redhat.com>	2021-03-26 14:32:32 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-30 14:36:59 +0200
commit	76aa61c55279fdaa8d428236ba8834edf313b372 (patch)
tree	becd6b4a86ea2772c8b704c2f21a1104362b9aa9
parent	0f436dff2fadbec77ce759f18caab276e8bad53b (diff)