--- /dev/null
+From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 26 Mar 2021 14:32:32 -0400
+Subject: dm ioctl: fix out of bounds array access when no devices
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream.
+
+If there are not any dm devices, we need to zero the "dev" argument in
+the first structure dm_name_list. However, this can cause out of
+bounds write, because the "needed" variable is zero and len may be
+less than eight.
+
+Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
+too small to hold the "nl->dev" value.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+[iwamatsu: Adjust context]
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl
+ * Grab our output buffer.
+ */
+ nl = get_result_buffer(param, param_size, &len);
+- if (len < needed) {
++ if (len < needed || len < sizeof(nl->dev)) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ goto out;
+ }
--- /dev/null
+From b4104180a2efb85f55e1ba1407885c9421970338 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 5 Apr 2021 11:48:52 +0200
+Subject: kobject_uevent: remove warning in init_uevent_argv()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit b4104180a2efb85f55e1ba1407885c9421970338 upstream.
+
+syzbot can trigger the WARN() in init_uevent_argv() which isn't the
+nicest as the code does properly recover and handle the error. So
+change the WARN() call to pr_warn() and provide some more information on
+what the buffer size that was needed.
+
+Link: https://lore.kernel.org/r/20201107082206.GA19079@kroah.com
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Reported-by: syzbot+92340f7b2b4789907fdb@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20210405094852.1348499-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/kobject_uevent.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/lib/kobject_uevent.c
++++ b/lib/kobject_uevent.c
+@@ -128,12 +128,13 @@ static int kobj_usermode_filter(struct k
+
+ static int init_uevent_argv(struct kobj_uevent_env *env, const char *subsystem)
+ {
++ int buffer_size = sizeof(env->buf) - env->buflen;
+ int len;
+
+- len = strlcpy(&env->buf[env->buflen], subsystem,
+- sizeof(env->buf) - env->buflen);
+- if (len >= (sizeof(env->buf) - env->buflen)) {
+- WARN(1, KERN_ERR "init_uevent_argv: buffer size too small\n");
++ len = strlcpy(&env->buf[env->buflen], subsystem, buffer_size);
++ if (len >= buffer_size) {
++ pr_warn("init_uevent_argv: buffer size of %d too small, needed %d\n",
++ buffer_size, len);
+ return -ENOMEM;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
