Hi
Here I'm sending a backport of the patch 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 for the kernel 4.19.
Mikulas
On Mon, 18 Apr 2022, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
It is possible to set up dm-integrity in such a way that the "tag_size" parameter is less than the actual digest size. In this situation, a part of the digest beyond tag_size is ignored.
In this case, dm-integrity would write beyond the end of the ic->recalc_tags array and corrupt memory. The corruption happened in integrity_recalc->integrity_sector_checksum->crypto_shash_final.
Fix this corruption by increasing the tags array so that it has enough padding at the end to accomodate the loop in integrity_recalc() being able to write a full digest size for the last member of the tags array.
Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Mikulas Patocka mpatocka@redhat.com Signed-off-by: Mike Snitzer snitzer@kernel.org
--- drivers/md/dm-integrity.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Index: linux-stable/drivers/md/dm-integrity.c =================================================================== --- linux-stable.orig/drivers/md/dm-integrity.c 2022-04-19 10:52:45.000000000 +0200 +++ linux-stable/drivers/md/dm-integrity.c 2022-04-19 10:54:41.000000000 +0200 @@ -3504,6 +3504,7 @@ try_smaller_buffer: }
if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING)) { + size_t recalc_tags_size; if (!ic->internal_hash) { r = -EINVAL; ti->error = "Recalculate is only valid with internal hash"; @@ -3522,8 +3523,10 @@ try_smaller_buffer: r = -ENOMEM; goto bad; } - ic->recalc_tags = kvmalloc_array(RECALC_SECTORS >> ic->sb->log2_sectors_per_block, - ic->tag_size, GFP_KERNEL); + recalc_tags_size = (RECALC_SECTORS >> ic->sb->log2_sectors_per_block) * ic->tag_size; + if (crypto_shash_digestsize(ic->internal_hash) > ic->tag_size) + recalc_tags_size += crypto_shash_digestsize(ic->internal_hash) - ic->tag_size; + ic->recalc_tags = kvmalloc(recalc_tags_size, GFP_KERNEL); if (!ic->recalc_tags) { ti->error = "Cannot allocate tags for recalculating"; r = -ENOMEM;