From: Jiang Liu Date: Thu, 6 Jun 2013 16:07:26 +0000 (+0800) Subject: zram: avoid access beyond the zram device X-Git-Tag: firefly_0821_release~176^2~5845^2~226 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=12a7ad3b810e77137d0caf97a6dd97591e075b30;p=firefly-linux-kernel-4.4.55.git zram: avoid access beyond the zram device Function valid_io_request() should verify the entire request are within the zram device address range. Otherwise it may cause invalid memory access when accessing/modifying zram->meta->table[index] because the 'index' is out of range. Then it may access non-exist memory, randomly modify memory belong to other subsystems, which is hard to track down. Signed-off-by: Jiang Liu Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c index f7603617db75..9f097ce55b24 100644 --- a/drivers/staging/zram/zram_drv.c +++ b/drivers/staging/zram/zram_drv.c @@ -420,13 +420,20 @@ out: */ static inline int valid_io_request(struct zram *zram, struct bio *bio) { - if (unlikely( - (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) || - (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) || - (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) { + u64 start, end, bound; + + /* unaligned request */ + if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1))) + return 0; + if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1))) + return 0; + start = bio->bi_sector; + end = start + (bio->bi_size >> SECTOR_SHIFT); + bound = zram->disksize >> SECTOR_SHIFT; + /* out of range range */ + if (unlikely(start >= bound || end >= bound || start > end)) return 0; - } /* I/O request is valid */ return 1;