Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
md: avoid array overflow with bad v1.x metadata
We trust the 'desc_nr' field in v1.x metadata enough to use it
as an index in an array. This isn't really safe.
So range-check the value first.
Signed-off-by: NeilBrown <neilb@suse.de>
+6
-1
drivers/md/md.c
+6
-1
drivers/md/md.c
···
1308
1308
}
1309
1309
if (mddev->level != LEVEL_MULTIPATH) {
1310
1310
int role;
1311
-
role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]);
1311
+
if (rdev->desc_nr < 0 ||
1312
+
rdev->desc_nr >= le32_to_cpu(sb->max_dev)) {
1313
+
role = 0xffff;
1314
+
rdev->desc_nr = -1;
1315
+
} else
1316
+
role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]);
1312
1317
switch(role) {
1313
1318
case 0xffff: /* spare */
1314
1319
break;