Re: [PATCH] md/raid5: validate payload size before accessing journal metadata

Next message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: thermal: idle: Correct node name in the example"
Previous message: Raj Kumar Bhagat: "[PATCH ath-next v5 6/6] wifi: ath12k: Enable IPQ5424 WiFi device support"
In reply to: Junrui Luo: "[PATCH] md/raid5: validate payload size before accessing journal metadata"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yu Kuai

Date: Tue Apr 07 2026 - 01:29:54 EST

Hi,

在 2026/4/4 15:44, Junrui Luo 写道:
> r5c_recovery_analyze_meta_block() and
> r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
> journal metadata block using on-disk payload size fields without
> validating them against the remaining space in the metadata block.
>
> A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
> boundary can cause out-of-bounds reads when accessing payload fields or
> computing offsets.
>
> Add bounds validation for each payload type to ensure the full payload
> fits within meta_size before processing.
>
> Fixes: b4c625c67362 ("md/r5cache: r5cache recovery: part 1")
> Reported-by: Yuhao Jiang<danisjiang@xxxxxxxxx>

I didn't found a report mail from patchwork, so I remove this tag

> Cc:stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo<moonafterrain@xxxxxxxxxxx>
> ---
> drivers/md/raid5-cache.c | 48 +++++++++++++++++++++++++++++++++---------------
> 1 file changed, 33 insertions(+), 15 deletions(-)
Applied to md-7.1

--
Thansk,
Kuai