The code in dm-long rounds up bitset_size to 32 bits. It then uses find_next_zero_bit_le on the allocated region. find_next_zero_bit_le accesses the bitmap using unsigned long pointers. So, on 64-bit architectures, it may access 4 bytes beyond the allocated size.
This bug was found by running the lvm testsuite with kasan. This patch fixes the bug by rounding up bitset_size to BITS_PER_LONG. Signed-off-by: Mikulas Patocka <[email protected]> Cc: [email protected] --- drivers/md/dm-log.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) Index: linux-2.6/drivers/md/dm-log.c =================================================================== --- linux-2.6.orig/drivers/md/dm-log.c 2022-05-16 13:41:44.000000000 +0200 +++ linux-2.6/drivers/md/dm-log.c 2022-06-16 08:57:46.000000000 +0200 @@ -415,8 +415,7 @@ static int create_log_context(struct dm_ /* * Work out how many "unsigned long"s we need to hold the bitset. */ - bitset_size = dm_round_up(region_count, - sizeof(*lc->clean_bits) << BYTE_SHIFT); + bitset_size = dm_round_up(region_count, BITS_PER_LONG); bitset_size >>= BYTE_SHIFT; lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits); -- dm-devel mailing list [email protected] https://listman.redhat.com/mailman/listinfo/dm-devel
