diff options
| author | NeilBrown <neilb@suse.de> | 2023-03-06 09:36:25 +1100 |
|---|---|---|
| committer | Song Liu <song@kernel.org> | 2023-03-13 12:50:54 -0700 |
| commit | 3bc57292278a0b6ac4656cad94c14f2453344b57 (patch) | |
| tree | d3e5ec05fe586be34665ff6296710d7ec2d27388 /drivers/md | |
| parent | 3e453522593d74a87cf68a38e14aa36ebca1dbcd (diff) | |
| download | linux-stable-3bc57292278a0b6ac4656cad94c14f2453344b57.tar.gz linux-stable-3bc57292278a0b6ac4656cad94c14f2453344b57.tar.bz2 linux-stable-3bc57292278a0b6ac4656cad94c14f2453344b57.zip | |
md: avoid signed overflow in slot_store()
slot_store() uses kstrtouint() to get a slot number, but stores the
result in an "int" variable (by casting a pointer).
This can result in a negative slot number if the unsigned int value is
very large.
A negative number means that the slot is empty, but setting a negative
slot number this way will not remove the device from the array. I don't
think this is a serious problem, but it could cause confusion and it is
best to fix it.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Song Liu <song@kernel.org>
Diffstat (limited to 'drivers/md')
| -rw-r--r-- | drivers/md/md.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c index f5480778e2f7..39e49e5d7182 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -3128,6 +3128,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len) err = kstrtouint(buf, 10, (unsigned int *)&slot); if (err < 0) return err; + if (slot < 0) + /* overflow */ + return -ENOSPC; } if (rdev->mddev->pers && slot == -1) { /* Setting 'slot' on an active array requires also |