From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 20 Apr 2012 20:49:44 +0000 (-0500)
Subject: rbd: fix integer overflow in rbd_header_from_disk()
X-Git-Tag: v3.5-rc1~36^2~29
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=50f7c4c967d0b5acd8e7ba6ab654dc4a7ac869ac;p=profile%2Fivi%2Fkernel-adaptation-intel-automotive.git

rbd: fix integer overflow in rbd_header_from_disk()

ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
needs validation.  Otherwise, a bogus `snap_count' could overflow the
kmalloc() size, leading to memory corruption.

Also use `u32' consistently for `snap_count'.

[elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX]

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
---

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index ca59d4d..a75fe93 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -487,16 +487,18 @@ static void rbd_coll_release(struct kref *kref)
  */
 static int rbd_header_from_disk(struct rbd_image_header *header,
 				 struct rbd_image_header_ondisk *ondisk,
-				 int allocated_snaps,
+				 u32 allocated_snaps,
 				 gfp_t gfp_flags)
 {
-	int i;
-	u32 snap_count;
+	u32 i, snap_count;
 
 	if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT)))
 		return -ENXIO;
 
 	snap_count = le32_to_cpu(ondisk->snap_count);
+	if (snap_count > (UINT_MAX - sizeof(struct ceph_snap_context))
+			 / sizeof (*ondisk))
+		return -EINVAL;
 	header->snapc = kmalloc(sizeof(struct ceph_snap_context) +
 				snap_count * sizeof (*ondisk),
 				gfp_flags);
@@ -1591,7 +1593,7 @@ static int rbd_read_header(struct rbd_device *rbd_dev,
 {
 	ssize_t rc;
 	struct rbd_image_header_ondisk *dh;
-	int snap_count = 0;
+	u32 snap_count = 0;
 	u64 ver;
 	size_t len;