blk-integrity: fix slab-out-of-bounds in t10_pi_verify on namespace revalidation#912
Open
blktests-ci[bot] wants to merge 1 commit into
Open
blk-integrity: fix slab-out-of-bounds in t10_pi_verify on namespace revalidation#912blktests-ci[bot] wants to merge 1 commit into
blktests-ci[bot] wants to merge 1 commit into
Conversation
Author
|
Upstream branch: 8fde5d1 |
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
3f4a345 to
c6dc343
Compare
Author
|
Upstream branch: e43ffb6 |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
a0ae43f to
c129afa
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c6dc343 to
fc36596
Compare
Author
|
Upstream branch: ba3e43a |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
c129afa to
529672f
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
fc36596 to
7bed9c3
Compare
Author
|
Upstream branch: ddd664b |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
529672f to
916540a
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
7bed9c3 to
a7bb5c5
Compare
Author
|
Upstream branch: 979c294 |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
916540a to
ff39d2c
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
a7bb5c5 to
5e41a3b
Compare
Author
|
Upstream branch: acb7500 |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
ff39d2c to
5bb0fb3
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
5e41a3b to
c3a084b
Compare
Author
|
Upstream branch: 9716c08 |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
5bb0fb3 to
cc63f98
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c3a084b to
5f78e5d
Compare
Author
|
Upstream branch: 2a2974b |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
cc63f98 to
b7323e7
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
5f78e5d to
e48f9db
Compare
Author
|
Upstream branch: 062871f |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
b7323e7 to
958db76
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
199644a to
e6d9eb8
Compare
Author
|
Upstream branch: 66affa3 |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
958db76 to
96f4a49
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
e6d9eb8 to
7d8604f
Compare
…evalidation
Abort early with BLK_STS_PROTECTION if a namespace revalidation changed
bi->metadata_size after bio_integrity_prep() sized the allocation.
Found by FuzzNvme (Syzkaller with FEMU fuzzing framework).
When a namespace is revalidated between bio_integrity_prep() and
bio_integrity_verify_fn(), the integrity profile's metadata_size may
change under the in-flight bio. bio_integrity_verify_fn() re-reads the
live blk_integrity via blk_get_integrity(), so blk_integrity_iterate()
uses the new metadata_size as the per-interval step size against a
buffer sized for the old one, advancing iter->prot_buf past the end of
the allocation.
task 1:
bio_integrity_prep()
bio_integrity_alloc_buf()
len = bio_integrity_bytes(bi, bio_sectors(bio)) ...(1)
bip->bip_iter.bi_size = len
task 2:
nvme_update_ns_info_block()
blk_mq_freeze_queue()
nvme_init_integrity()
bi->metadata_size = head->ms ...(2)
blk_mq_unfreeze_queue()
task 3:
bio_integrity_verify_fn()
bio_integrity_verify()
blk_integrity_iterate()
bi = blk_get_integrity() ...(3)
iter->interval_remaining = 1 << bi->interval_exp
iter->prot_buf += bi->metadata_size per interval
/* step size from (3), buffer sized at (1): overrun */
Fixes: 8098514 ("block: always allocate integrity buffer when required")
Signed-off-by: Samin Y. Chowdhury <samin_c@outlook.com>
Acked-by: Sungwoo Kim <iam@sung-woo.kim>
Acked-by: Dave Tian <daveti@purdue.edu>
Acked-by: Weidong Zhu <weizhu@fiu.edu>
Acked-by: Ruimin Sun <rsun@fiu.edu>
Author
|
Upstream branch: bade58e |
blktests-ci
Bot
force-pushed
the
series/1103689=>linus-master
branch
from
96f4a49 to
2b75ec7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: blk-integrity: fix slab-out-of-bounds in t10_pi_verify on namespace revalidation
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1103689