]>
Commit | Line | Data |
---|---|---|
04fd09d4 SL |
1 | From 8df0a6c1b443294005e9c23d76d38ed7472ebd0e Mon Sep 17 00:00:00 2001 |
2 | From: Coly Li <colyli@suse.de> | |
3 | Date: Sat, 9 Feb 2019 12:53:10 +0800 | |
4 | Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife | |
5 | ||
6 | [ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ] | |
7 | ||
8 | Cache set sysfs entry io_error_halflife is used to set c->error_decay. | |
9 | c->error_decay is in type unsigned int, and it is converted by | |
10 | strtoul_or_return(), therefore overflow to c->error_decay is possible | |
11 | for a large input value. | |
12 | ||
13 | This patch fixes the overflow by using strtoul_safe_clamp() to convert | |
14 | input string to an unsigned long value in range [0, UINT_MAX], then | |
15 | divides by 88 and set it to c->error_decay. | |
16 | ||
17 | Signed-off-by: Coly Li <colyli@suse.de> | |
18 | Signed-off-by: Jens Axboe <axboe@kernel.dk> | |
19 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
20 | --- | |
21 | drivers/md/bcache/sysfs.c | 13 +++++++++++-- | |
22 | 1 file changed, 11 insertions(+), 2 deletions(-) | |
23 | ||
24 | diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c | |
25 | index 5d81cd06af00..43ff7fbcbc7c 100644 | |
26 | --- a/drivers/md/bcache/sysfs.c | |
27 | +++ b/drivers/md/bcache/sysfs.c | |
28 | @@ -660,8 +660,17 @@ STORE(__bch_cache_set) | |
29 | c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT; | |
30 | ||
31 | /* See count_io_errors() for why 88 */ | |
32 | - if (attr == &sysfs_io_error_halflife) | |
33 | - c->error_decay = strtoul_or_return(buf) / 88; | |
34 | + if (attr == &sysfs_io_error_halflife) { | |
35 | + unsigned long v = 0; | |
36 | + ssize_t ret; | |
37 | + | |
38 | + ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX); | |
39 | + if (!ret) { | |
40 | + c->error_decay = v / 88; | |
41 | + return size; | |
42 | + } | |
43 | + return ret; | |
44 | + } | |
45 | ||
46 | sysfs_strtoul(journal_delay_ms, c->journal_delay_ms); | |
47 | sysfs_strtoul(verify, c->verify); | |
48 | -- | |
49 | 2.19.1 | |
50 |