From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B512C7EE24 for ; Sat, 3 Jun 2023 14:53:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230198AbjFCOxS (ORCPT ); Sat, 3 Jun 2023 10:53:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229606AbjFCOxO (ORCPT ); Sat, 3 Jun 2023 10:53:14 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A602CE; Sat, 3 Jun 2023 07:53:13 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C76425C00C8; Sat, 3 Jun 2023 10:53:12 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685803992; x=1685890392; bh=YCzACzClxG a/ktYTHwJaaNWjaN7phPISbw1cPfpWZUo=; b=pXYzXv05o9CAdFMXpOMdKmLWi2 Q5Vuiijm/ua1tXFFnVVd1Mmlyx0n3sJG7LkVHlrx2skKiWiQsHJ5s+xH+jgC0xsU qnJCUnbr2+RZTznR9n9hba8/it5Hsqve8eNGpy0QG3q8nhb0B1fZMwII5oAYzLwz 7Ltro9/nIYFdvObT9L7XkEt3SEUT1fRvXKLzRUcRu0DWmp6C+ElO/93OT/zM8Aot qc/ZHGerpZ5NcMYIvFiQjfF3K6k3pdwGiI/q5Yhhb1BqGoXcKRrTEpbGWzp8Uf33 8phGyAwsIKivy40tWpDXpekYtqYOqbnwMX//S+yA+45b5TOkqsaxN67UJOtg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803992; x= 1685890392; bh=YCzACzClxGa/ktYTHwJaaNWjaN7phPISbw1cPfpWZUo=; b=v CBsWyth29tlIlptRZtIJNH+muWrQmiT0Lbs0SbsNteRgKmQXQX+J7Vt5gror77e1 Ta3vwUGl8KlKj4yUjlg7SEmhjxAyAHA/3/GEaOcpKHbkZjqfeFUPzqGPayw4ppWt SY1iURtwhnQk12abr1qwqjnpnn2UOFpHOvFzRcNgap4XiFbgm/vJ8QcL2+l9m6nc yRf9hwoR8sxcEZqlk3scrn+CmX8utRGnawc1t1vP3GSe+0k5uAIC6suw46l5mpJr TYSOPN8JdKHQwvpvEoqy2l0jGPvAv+Wmyju1pHSFcnfe6O/TuNQJHDcwQFJvn/ez wcDzQsQBeOHQnAI6qxI+g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepudenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:12 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 1/6] device-mapper: Check that target specs are sufficiently aligned Date: Sat, 3 Jun 2023 10:52:39 -0400 Message-Id: <20230603145244.1538-2-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Otherwise subsequent code will dereference a misaligned `struct dm_target_spec *`, which is undefined behavior. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org --- drivers/md/dm-ioctl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index cc77cf3d410921432eb0c62cdede7d55b9aa674a..34fa74c6a70db8aa67aaba3f6a2= fc4f38ef736bc 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1394,6 +1394,13 @@ static inline fmode_t get_mode(struct dm_ioctl *para= m) static int next_target(struct dm_target_spec *last, uint32_t next, void *e= nd, struct dm_target_spec **spec, char **target_params) { + static_assert(_Alignof(struct dm_target_spec) <=3D 8, + "struct dm_target_spec has excessive alignment requirements"); + if (next % 8) { + DMERR("Next target spec (offset %u) is not 8-byte aligned", next); + return -EINVAL; + } + *spec =3D (struct dm_target_spec *) ((unsigned char *) last + next); *target_params =3D (char *) (*spec + 1); =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E14A2C77B73 for ; Sat, 3 Jun 2023 14:53:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236007AbjFCOxV (ORCPT ); Sat, 3 Jun 2023 10:53:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229640AbjFCOxP (ORCPT ); Sat, 3 Jun 2023 10:53:15 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 983F4197; Sat, 3 Jun 2023 07:53:14 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 05CCE5C00D5; Sat, 3 Jun 2023 10:53:14 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685803994; x=1685890394; bh=aSjkzE25S8 BxmyJfHmxx2kjK812O0BGlmJS9UYp63Y4=; b=i7f0Q9d5TEM1LgMqJdRiHaENlq ynQteKNn8bi2ztKCkSRVp4PxCircChHJT/lYVyvSYX0Z7/qgUv30JIzrk7ZYzd9i AKpKIVDyu3UAbtIRA78mvGuQxHdfXgT4ZsQlTamYjEoYxKy3K3SrCDGg6x+TRcWC PRTR9cmPgtqtcQlhEfHPC0N+VDElYhcKIbVFQCNVDt5ii7Z+pgsCClY33l8He98V C+xZF3NFoGeKTHJGUNqkMQ2tt2DgND6dr1InWKfjK2UwmGmAMarSoXt0/8UgfsN/ qIXYrRMLYKpDfyanOmEeliW/NbSDAg+adQX8UewvfqzWjY3IRWMEP6UMqISg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803994; x= 1685890394; bh=aSjkzE25S8BxmyJfHmxx2kjK812O0BGlmJS9UYp63Y4=; b=J iBQ1MuYjIHoAHRkeTOW9xDwi5DUzBk+/ahqcMcNfOXPc8+MBgWAtdbyAcZpxzIa1 ne/CK8oMKk7G+IAqFPQTTQOxKru3sgIM+tatRjNxFPMPYFzthPJse+XnxjxmgWgu rG0zNv63FslYu0OuN//1Md2SXw1/m8ZlbTDkDseHCLVTTnGOigAGCEGDPsMh8/yM bKGgGhhl6euDITEJ9ZRAtzHnpAdOavk99iorbnhFA5HmX4/25rx8CJ6j4Tqgzrq2 L98mPoTsXdOEhMrwBSQcz9IKGjbQiuXyUsBZy2E1JtKyInnFAm3MIL7PJnaNeY/f i/odYTx+R7YDYAb3QRjWQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepudenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:13 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 2/6] device-mapper: Avoid pointer arithmetic overflow Date: Sat, 3 Jun 2023 10:52:40 -0400 Message-Id: <20230603145244.1538-3-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Especially on 32-bit systems, it is possible for the pointer arithmetic to overflow and cause a userspace pointer to be dereferenced in the kernel. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Mikulas Patocka --- drivers/md/dm-ioctl.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 34fa74c6a70db8aa67aaba3f6a2fc4f38ef736bc..64e8f16d344c47057de5e2d29e3= d63202197dca0 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1396,6 +1396,25 @@ static int next_target(struct dm_target_spec *last, = uint32_t next, void *end, { static_assert(_Alignof(struct dm_target_spec) <=3D 8, "struct dm_target_spec has excessive alignment requirements"); + static_assert(offsetof(struct dm_ioctl, data) >=3D sizeof(struct dm_targe= t_spec), + "struct dm_target_spec too big"); + + /* + * Number of bytes remaining, starting with last. This is always + * sizeof(struct dm_target_spec) or more, as otherwise *last was + * out of bounds already. + */ + size_t remaining =3D (char *)end - (char *)last; + + /* + * There must be room for both the next target spec and the + * NUL-terminator of the target itself. + */ + if (remaining - sizeof(struct dm_target_spec) <=3D next) { + DMERR("Target spec extends beyond end of parameters"); + return -EINVAL; + } + if (next % 8) { DMERR("Next target spec (offset %u) is not 8-byte aligned", next); return -EINVAL; --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD509C7EE29 for ; Sat, 3 Jun 2023 14:53:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236809AbjFCOxZ (ORCPT ); Sat, 3 Jun 2023 10:53:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235476AbjFCOxT (ORCPT ); Sat, 3 Jun 2023 10:53:19 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E19CC196; Sat, 3 Jun 2023 07:53:17 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 503095C00C8; Sat, 3 Jun 2023 10:53:17 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sat, 03 Jun 2023 10:53:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685803997; x=1685890397; bh=YZHd7YYjlD K6sv+mkKSJgYpLNyemRttpNw5QnchM4bE=; b=TnOxlFpRryRJNsR7dpT46fcwU5 WqmiJVKfcJVhI69FXcnQw0XXlGXPg9eAkwuvXv+2oNga3YcKAjpqy3i488+aRrQ1 R5lK/T/ytfC9Y2lXcCgBAXPny4UlKg2y68Bt3b/hiAhg5WH1yPTucdXexc89KnxJ j1CGz+TJS3grfw+G1Cgjm9Sv6qjcOTvodT7ihTNrN5QIGI3I/RfTsbBk56hQq/dj N7LCPY8GSBfWjfzC+P7v6OLtBIxGKpPF8y4q8AUbXmHRxPMcNYoKVzQn/38pKOrn cgHs49N9IOZLlTsTUhzfV30H3FLTnOs/+4aE9dCOlJCooyPlIaVG0RbUS6tg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803997; x= 1685890397; bh=YZHd7YYjlDK6sv+mkKSJgYpLNyemRttpNw5QnchM4bE=; b=R KSwHSh5CbZGFPlBIs95J+lFNUW+CiVOmBjXlwhhHamgOnD6blPnTsSZctV6KhZa6 rc8xKQZcZgcSqnTJqDP5e2MCQGsgvnwfyadaEXHClMLKu3tG5xQA54ukTJZzIqI/ 8+MC0YPY2gS6iy9ukE0ol1BYlctioyi3n6uC5y5zxKZgigk8d0sFaEj9Xw0UuXA0 74ubqf28G7Zee6IfmuHYdlAINdOLRb1ZELv1M+ysGpADDiI1rdxdyjLfQJ4PqBMT U+jozsg5GFP3J/LvN5+U9Et3QjGPM8kIC19TnhmtyaZqCZHvDxVA51pJD/AQn00W t2Gm+rYVbFTgUUbmGkvcA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:16 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 3/6] device-mapper: structs and parameter strings must not overlap Date: Sat, 3 Jun 2023 10:52:41 -0400 Message-Id: <20230603145244.1538-4-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The NUL terminator for each target parameter string must precede the following 'struct dm_target_spec'. Otherwise, dm_split_args() might corrupt this struct. Furthermore, the first 'struct dm_target_spec' must come after the 'struct dm_ioctl', as if it overlaps too much dm_split_args() could corrupt the 'struct dm_ioctl'. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Mikulas Patocka --- drivers/md/dm-ioctl.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 64e8f16d344c47057de5e2d29e3d63202197dca0..da6ca26b51d0953df380582bb3a= 51c2ec22c27cb 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1391,7 +1391,7 @@ static inline fmode_t get_mode(struct dm_ioctl *param) return mode; } =20 -static int next_target(struct dm_target_spec *last, uint32_t next, void *e= nd, +static int next_target(struct dm_target_spec *last, uint32_t next, const c= har *end, struct dm_target_spec **spec, char **target_params) { static_assert(_Alignof(struct dm_target_spec) <=3D 8, @@ -1404,7 +1404,7 @@ static int next_target(struct dm_target_spec *last, u= int32_t next, void *end, * sizeof(struct dm_target_spec) or more, as otherwise *last was * out of bounds already. */ - size_t remaining =3D (char *)end - (char *)last; + size_t remaining =3D end - (char *)last; =20 /* * There must be room for both the next target spec and the @@ -1423,10 +1423,7 @@ static int next_target(struct dm_target_spec *last, = uint32_t next, void *end, *spec =3D (struct dm_target_spec *) ((unsigned char *) last + next); *target_params =3D (char *) (*spec + 1); =20 - if (*spec < (last + 1)) - return -EINVAL; - - return invalid_str(*target_params, end); + return 0; } =20 static int populate_table(struct dm_table *table, @@ -1436,8 +1433,9 @@ static int populate_table(struct dm_table *table, unsigned int i =3D 0; struct dm_target_spec *spec =3D (struct dm_target_spec *) param; uint32_t next =3D param->data_start; - void *end =3D (void *) param + param_size; + const char *const end =3D (const char *) param + param_size; char *target_params; + size_t min_size =3D sizeof(struct dm_ioctl); =20 if (!param->target_count) { DMERR("%s: no targets specified", __func__); @@ -1445,6 +1443,13 @@ static int populate_table(struct dm_table *table, } =20 for (i =3D 0; i < param->target_count; i++) { + const char *nul_terminator; + + if (next < min_size) { + DMERR("%s: next target spec (offset %u) overlaps %s", + __func__, next, i ? "previous target" : "'struct dm_ioctl'"); + return -EINVAL; + } =20 r =3D next_target(spec, next, end, &spec, &target_params); if (r) { @@ -1452,6 +1457,15 @@ static int populate_table(struct dm_table *table, return r; } =20 + nul_terminator =3D memchr(target_params, 0, (size_t)(end - target_params= )); + if (nul_terminator =3D=3D NULL) { + DMERR("%s: target parameters not NUL-terminated", __func__); + return -EINVAL; + } + + /* Add 1 for NUL terminator */ + min_size =3D (size_t)(nul_terminator - (const char *)spec) + 1; + r =3D dm_table_add_target(table, spec->target_type, (sector_t) spec->sector_start, (sector_t) spec->length, --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FEC2C7EE2E for ; Sat, 3 Jun 2023 14:53:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236828AbjFCOx2 (ORCPT ); Sat, 3 Jun 2023 10:53:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60842 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230216AbjFCOxU (ORCPT ); Sat, 3 Jun 2023 10:53:20 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35E5318D; Sat, 3 Jun 2023 07:53:19 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A327A5C0159; Sat, 3 Jun 2023 10:53:18 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685803998; x=1685890398; bh=SGVGhCOi3w bBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=Jp89MgG4yUz6UPx66J59ThD/Bv 3ZmoZxMs4OXV2lcM3NtGZ1+UwTxPbybEYji7PBUqV0YDPubWeHhoApOzzqgRunbx u/qf3o3FIUR7HBbfc7NkBLmBiEXcUzLwK/320g73bLp5ay2ZIWznc1FYUb3MSFtl 59VocK8gNlxmhjSUSAZfrTNpmmx56seI0FFOELKYP+IWK4GOvswszANk66ngrsDG CyejlAATPIaaQkQzp88yGgiT6wFnN1mXxmZPe4XJJJGnH8ZrkvF2NZx2jJKjNeY9 RR+AXGW+9HkZ3B8ek24czu+OkLOSH0RQS7TltXzpejPZiiohWxhF7DvT2UFg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685803998; x= 1685890398; bh=SGVGhCOi3wbBYhOjjO56k89nCKOx38H3KskyWEyWiGs=; b=U kziZXYYR49LS1/JS1PPJU3ZfdZdjsPIGAHpa1LSgkDMjoiXcnVMZMDTuW0VVTEc7 Lf8QpJlAPv5+mQ165EPrrifFO1xdZr1ZeetZex2wKPImB2PPgPNE/k34wH4zIXiY RRJeW0O+OmNb0kamWKXl0CvoraCZuEdkiU35/mOAWXP9fMaC5riJxe0vE9+gzV+I uYfAbfwAgR8OeqlS9S5vhOscLXpBMdP2lI09LLqJtKiYjmxcbzT7sAZ6MZJeRGzt qxCFZbUW0jNtN286djwYT5SzDreLZNhjc4VUfwapiXizqb/ZXMZjNnZuRC44C2pU /1QYevHp01cFM8KqW3LWg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepfeenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:17 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 4/6] device-mapper: Avoid double-fetch of version Date: Sat, 3 Jun 2023 10:52:42 -0400 Message-Id: <20230603145244.1538-5-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The version is fetched once in check_version(), which then does some validation and then overwrites the version in userspace with the API version supported by the kernel. copy_params() then fetches the version from userspace *again*, and this time no validation is done. The result is that the kernel's version number is completely controllable by userspace, provided that userspace can win a race condition. Fix this flaw by not copying the version back to the kernel the second time. This is not exploitable as the version is not further used in the kernel. However, it could become a problem if future patches start relying on the version field. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index da6ca26b51d0953df380582bb3a51c2ec22c27cb..7510afe237d979a5ee71afe87a2= 0d49f631de1aa 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1873,30 +1873,33 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int = *ioctl_flags) * As well as checking the version compatibility this always * copies the kernel interface version out. */ -static int check_version(unsigned int cmd, struct dm_ioctl __user *user) +static int check_version(unsigned int cmd, struct dm_ioctl __user *user, + struct dm_ioctl *kernel_params) { - uint32_t version[3]; int r =3D 0; =20 - if (copy_from_user(version, user->version, sizeof(version))) + if (copy_from_user(kernel_params->version, user->version, sizeof(kernel_p= arams->version))) return -EFAULT; =20 - if ((version[0] !=3D DM_VERSION_MAJOR) || - (version[1] > DM_VERSION_MINOR)) { + if ((kernel_params->version[0] !=3D DM_VERSION_MAJOR) || + (kernel_params->version[1] > DM_VERSION_MINOR)) { DMERR("ioctl interface mismatch: kernel(%u.%u.%u), user(%u.%u.%u), cmd(%= d)", DM_VERSION_MAJOR, DM_VERSION_MINOR, DM_VERSION_PATCHLEVEL, - version[0], version[1], version[2], cmd); + kernel_params->version[0], + kernel_params->version[1], + kernel_params->version[2], + cmd); r =3D -EINVAL; } =20 /* * Fill in the kernel version. */ - version[0] =3D DM_VERSION_MAJOR; - version[1] =3D DM_VERSION_MINOR; - version[2] =3D DM_VERSION_PATCHLEVEL; - if (copy_to_user(user->version, version, sizeof(version))) + kernel_params->version[0] =3D DM_VERSION_MAJOR; + kernel_params->version[1] =3D DM_VERSION_MINOR; + kernel_params->version[2] =3D DM_VERSION_PATCHLEVEL; + if (copy_to_user(user->version, kernel_params->version, sizeof(kernel_par= ams->version))) return -EFAULT; =20 return r; @@ -1922,7 +1925,10 @@ static int copy_params(struct dm_ioctl __user *user,= struct dm_ioctl *param_kern const size_t minimum_data_size =3D offsetof(struct dm_ioctl, data); unsigned int noio_flag; =20 - if (copy_from_user(param_kernel, user, minimum_data_size)) + /* Version has been copied from userspace already, avoid TOCTOU */ + if (copy_from_user((char *)param_kernel + sizeof(param_kernel->version), + (char __user *)user + sizeof(param_kernel->version), + minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; =20 if (param_kernel->data_size < minimum_data_size) { @@ -2034,7 +2040,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us * Check the interface version passed in. This also * writes out the kernel's interface version. */ - r =3D check_version(cmd, user); + r =3D check_version(cmd, user, ¶m_kernel); if (r) return r; =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A3BAC7EE29 for ; Sat, 3 Jun 2023 14:53:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237140AbjFCOxd (ORCPT ); Sat, 3 Jun 2023 10:53:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235879AbjFCOxV (ORCPT ); Sat, 3 Jun 2023 10:53:21 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9BEE1A5 for ; Sat, 3 Jun 2023 07:53:20 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 441865C018B; Sat, 3 Jun 2023 10:53:20 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 03 Jun 2023 10:53:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685804000; x=1685890400; bh=bzf2lzXwm0 yOFyHlXVDw/mThYLsZ0cA++V3ZJ1NyFW4=; b=ksRwITENMjfZbLijYMBGgB4obj Z8jhiq5RyMTyd7FtGeuPdHhxAtTkH7l5FU2eduhrz+jaXKhExJPqken41iClDagx /7PSOKaEcQmI5VejX1xzh5ADEBtIvTSeXbx1mCm/ex5XmyMxM42zZpWJ0tC6pZWV /zdF1oq7J4H9ZfzPJntxkAz+Nw4dQVMf+ksDop/LjJ3QVO3ltqX6/l1QZAhOl52i FBDH5WCLAVL1VV/0/KXk69BSXntmkInEk+b399rZHodrvvvaNUBn5vXsiaWS/GCb qbAJ5FPdv3H3++kNYAhetFinoEgVgXzwbvTBShksM85uKgX34xQypXarAqbg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685804000; x= 1685890400; bh=bzf2lzXwm0yOFyHlXVDw/mThYLsZ0cA++V3ZJ1NyFW4=; b=m K3adYSf3veZMGbd7z2H9VE0Rk34pWAOoILfsPZfDA2b6VUwR8d9LPbjmKqGy28qW ItbDoXOIGdomPzzvdmYvQd4CFhjM+b7CHhkTSiH93L0a0yjKNkuyRzd/F1fX8x4H 1w4/5i1PkAAcDBn8GIS1h+6RLk8uxdXocy4uIhNSi6bv3K0RpTM7uIXdi17WoZyz qQ0IpUTX009Yf9zi7PT21hI/jNqIvvowg+eyBOaAws4yu88kRPgOHA6cSJ+6CiD+ x1umJG38gkBLKWuHuuFSFtAXGDIrPeIp2p6P4eCpYTsV0Kfw+jDwKutF14KgDHTj rg7zQo7uL44vEg8lM6WLQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgepfeenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:19 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org Subject: [PATCH v2 5/6] device-mapper: Refuse to create device named "control" Date: Sat, 3 Jun 2023 10:52:43 -0400 Message-Id: <20230603145244.1538-6-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Typical userspace setups create a symlink under /dev/mapper with the name of the device, but /dev/mapper/control is reserved for the control device. Therefore, trying to create such a device is almost certain to be a userspace bug. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 7510afe237d979a5ee71afe87a20d49f631de1aa..5b647ab044e44b0c9d0961b5a33= 6b41f50408f88 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -767,7 +767,12 @@ static int get_target_version(struct file *filp, struc= t dm_ioctl *param, size_t static int check_name(const char *name) { if (strchr(name, '/')) { - DMERR("invalid device name"); + DMERR("device name cannot contain '/'"); + return -EINVAL; + } + + if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0) { + DMERR("device name cannot be \"%s\"", DM_CONTROL_NODE); return -EINVAL; } =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Mon Feb 9 01:45:35 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65953C77B73 for ; Sat, 3 Jun 2023 14:53:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229641AbjFCOxg (ORCPT ); Sat, 3 Jun 2023 10:53:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229595AbjFCOxX (ORCPT ); Sat, 3 Jun 2023 10:53:23 -0400 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB53D18D for ; Sat, 3 Jun 2023 07:53:22 -0700 (PDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 436B55C00C8; Sat, 3 Jun 2023 10:53:22 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Sat, 03 Jun 2023 10:53:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685804002; x=1685890402; bh=F4OXbKEhX/ cWHBaWnFmGY6QP2wMBPb2edHzYfPJhig4=; b=k/jGMYcXSWRlwp1iXFmb5LZL1K 0nFerI/3Q2ubLUn6uAeTeRYk7BPE+wzpO8j+CExQick59ZwFRozc97HYVtVNeL5l 0DvB3xxb9SRWv2vjGWxqwpaaPUztPhcFc2evqVlpQcjTg7Jb5+aBFpymHefPqS00 fi4e1E9x93FmbljW/WxsHXWeMR+ZBZNaMoAh8eR5lgEaEWdMmuoSmC4mgFcI+Arb fJcuDRTbbbTy8e+zxKu3cpRou26/ndZr8c0pYwFTUGVL9klW9kIQyidHQIa0wGcb 5H5qgRD/mh9KI80PTV1fNjkIXHsBWzEMEelfdNQxv/4Nhl7Y8lv+feQblzAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685804002; x= 1685890402; bh=F4OXbKEhX/cWHBaWnFmGY6QP2wMBPb2edHzYfPJhig4=; b=n Wg+9EevZJ8ZOemDgL2dehUME+px4D3TcJV/KwLHq3qS0hxhV0ujPqqxhJ2LlkVfE 3Cm2F+QuHQPtNEDR8NLR3zKfICS8FaDhYJeqaD/spboiIk+98pTQaNYnvlF2EjLd r+Hpy4ZGmdm9ghF/elvqh+oMgjHs6iNBDAOzzOo7TGsbteNUk39gPAxYTKrDUakf /lVRIvUwkj2TWUyIY80HHF6yMAxkZXWjjtmIKdQdxDYDmRtKt2KPKh8dyN00BDCe p9WO6H5uTJU7Ob5eNVLU4XfDM/i5syGd2Y43vSdwQucOnd/N+STfIaR+zFAB1mOP TDiYuEf02bYa2wEyfg0Zw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeelhedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgvmhhi ucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhngh hslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepjeffjefggfeugeduvedvjeekgfeh gffhhfffjeetkeelueefffetfffhtdduheetnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhs lhgrsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 3 Jun 2023 10:53:21 -0400 (EDT) From: Demi Marie Obenour To: Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , linux-kernel@vger.kernel.org Subject: [PATCH v2 6/6] device-mapper: "." and ".." are not valid symlink names Date: Sat, 3 Jun 2023 10:52:44 -0400 Message-Id: <20230603145244.1538-7-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230603145244.1538-1-demi@invisiblethingslab.com> References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Using either of these is going to greatly confuse userspace, as they are not valid symlink names and so creating the usual /dev/mapper/NAME symlink will not be possible. As creating a device with either of these names is almost certainly a userspace bug, just error out. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 5b647ab044e44b0c9d0961b5a336b41f50408f88..12be95ee20778b9acd3ea0d98f1= 60a7409028afc 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -771,8 +771,10 @@ static int check_name(const char *name) return -EINVAL; } =20 - if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0) { - DMERR("device name cannot be \"%s\"", DM_CONTROL_NODE); + if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0 || + strcmp(name, ".") =3D=3D 0 || + strcmp(name, "..") =3D=3D 0) { + DMERR("device name cannot be \"%s\", \".\", or \"..\"", DM_CONTROL_NODE); return -EINVAL; } =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab