mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-06 16:49:22 +00:00
md: avoid signed overflow in slot_store()
[ Upstream commit 3bc5729227 ]
slot_store() uses kstrtouint() to get a slot number, but stores the
result in an "int" variable (by casting a pointer).
This can result in a negative slot number if the unsigned int value is
very large.
A negative number means that the slot is empty, but setting a negative
slot number this way will not remove the device from the array. I don't
think this is a serious problem, but it could cause confusion and it is
best to fix it.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
NeilBrown
Greg Kroah-Hartman
parent
643170dac6
commit
b7de906cf9
1 changed files with 3 additions and 0 deletions
|
|
@ -2991,6 +2991,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
|
|||
err = kstrtouint(buf, 10, (unsigned int *)&slot);
|
||||
if (err < 0)
|
||||
return err;
|
||||
if (slot < 0)
|
||||
/* overflow */
|
||||
return -ENOSPC;
|
||||
}
|
||||
if (rdev->mddev->pers && slot == -1) {
|
||||
/* Setting 'slot' on an active array requires also
|
||||
|
|
|
|||
Loading…
Reference in a new issue