null_blk: fix validation of block size

Ming Lei · Ming Lei · commit 49a15632921b · 2024-08-18T19:50:50.000+08:00
JIRA: https://issues.redhat.com/browse/RHEL-51322 CVE: CVE-2024-41077 commit c462ecd Author: Andreas Hindborg <a.hindborg@samsung.com> Date: Mon Jun 3 21:26:45 2024 +0200 null_blk: fix validation of block size Block size should be between 512 and PAGE_SIZE and be a power of 2. The current check does not validate this, so update the check. Without this patch, null_blk would Oops due to a null pointer deref when loaded with bs=1536 [1]. Link: https://lore.kernel.org/all/87wmn8mocd.fsf@metaspace.dk/ Signed-off-by: Andreas Hindborg <a.hindborg@samsung.com> Reviewed-by: Ming Lei <ming.lei@redhat.com> Link: https://lore.kernel.org/r/20240603192645.977968-1-nmi@metaspace.dk [axboe: remove unnecessary braces and != 0 check] Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Ming Lei <ming.lei@redhat.com>
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
@@ -2049,8 +2049,8 @@ static int null_validate_conf(struct nullb_device *dev)
 		return -EINVAL;
 	}
 
-	dev->blocksize = round_down(dev->blocksize, 512);
-	dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);
+	if (blk_validate_block_size(dev->blocksize))
+		return -EINVAL;
 
 	if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) {
 		if (dev->submit_queues != nr_online_nodes)

Original file line number	Diff line number	Diff line change
`@@ -2049,8 +2049,8 @@ static int null_validate_conf(struct nullb_device *dev)`
`2049`	`2049`	`return -EINVAL;`
`2050`	`2050`	`}`
`2051`	`2051`
`2052`		`- dev->blocksize = round_down(dev->blocksize, 512);`
`2053`		`- dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);`
	`2052`	`+ if (blk_validate_block_size(dev->blocksize))`
	`2053`	`+ return -EINVAL;`
`2054`	`2054`
`2055`	`2055`	`if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) {`
`2056`	`2056`	`if (dev->submit_queues != nr_online_nodes)`