[bug report] block: integer overflow in __bvec_gap_to_prev()

From: Roman Smirnov
Date: Tue Jun 11 2024 - 10:24:24 EST

Next message: Steven Rostedt: "Re: [PATCH v3 3/3] tracing/kprobe: Remove cleanup code unrelated to selftest"
Previous message: Steven Rostedt: "Re: [PATCH v3 2/3] tracing/kprobe: Integrate test warnings into WARN_ONCE"
Next in thread: Keith Busch: "Re: [bug report] block: integer overflow in __bvec_gap_to_prev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

There is a case of integer overflow in __bvec_gap_to_prev():

((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask);

bio_vec can cross multiple pages:

https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@xxxxxxxxxx/t/

So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX.
The check happens in bio_full(). In the case when bv_len is equal to
UINT_MAX and bv_offset is greater than zero, an overflow may occur.

Found by Linux Verification Center (linuxtesting.org) with Svace.

Next message: Steven Rostedt: "Re: [PATCH v3 3/3] tracing/kprobe: Remove cleanup code unrelated to selftest"
Previous message: Steven Rostedt: "Re: [PATCH v3 2/3] tracing/kprobe: Integrate test warnings into WARN_ONCE"
Next in thread: Keith Busch: "Re: [bug report] block: integer overflow in __bvec_gap_to_prev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]