On Sun, Mar 01, 2026 at 09:10:58PM +0800, Junrui Luo wrote:
> The argument count calculation in create_dirty_log() performs
> `*args_used = 2 + param_count` before validating against argc. When a
> user provides a param_count close to UINT_MAX via the device mapper
> table string, this unsigned addition wraps around to a small value,
> causing the subsequent `argc < *args_used` check to be bypassed.
>
> The overflowed param_count is then passed as argc to dm_dirty_log_create(),
> where it can cause out-of-bounds reads on the argv array.
>
> Fix by comparing param_count against argc - 2 before performing the
> addition, following the same pattern used by parse_features() in the
> same file. Since argc >= 2 is already guaranteed, the subtraction is
> safe.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Yuhao Jiang <[email protected]>
> Signed-off-by: Junrui Luo <[email protected]>
Reviewed-by: Benjamin Marzinski <[email protected]>
