drbd/bsc-1206791-08-lib-lru_cache-Fixed-array-overflow-caused-by-incorre.patch

From c2a620949ed609d6e256d1ce4d671a6da6bfeac0 Mon Sep 17 00:00:00 2001
From: John Sanpe <sanpeqf@gmail.com>
Date: Sat, 23 Jul 2022 09:59:31 +0200
Subject: [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect
 boundary handling.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This problem occurs when malloc element failed on the first time.
At this time, the counter i is 0. When it's released, we subtract 1
in advance without checking, which will cause i to become UINT_MAX,
resulting in array overflow.

Signed-off-by: John Sanpe <sanpeqf@gmail.com>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
---
 drbd/lru_cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drbd/lru_cache.c b/drbd/lru_cache.c
index 7e604cdc87db..fc640490607a 100644
--- a/drbd/lru_cache.c
+++ b/drbd/lru_cache.c
@@ -127,7 +127,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
 		return lc;
 
 	/* else: could not allocate all elements, give up */
-	for (i--; i; i--) {
+	while (i--) {
 		void *p = element[i];
 		kmem_cache_free(cache, (unsigned char *)p - e_off);
 	}
-- 
2.26.2
Accepting request 1056192 from home:hmzhao:branches:network:ha-clustering:Factory - drbd: fix build error against kernel v6.1.1 (bsc#1206791) * update bsc-1201335_06-bdi.patch commit log (no code change) + bsc-1201335_06-bdi.patch * update bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch (no code change) + bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch * using upstream patch to replace exist patch - bsc-1204596_02-drbd-stop-using-bdevname-in-drbd_report_io_error.patch + bsc-1204596_02-drbd-remove-usage-of-bdevname.patch * add new patches + bsc-1206791-01-drbd-add-comments-explaining-removal-of-bdi-congesti.patch + bsc-1206791-02-drbd-fix-static-analysis-warnings.patch + bsc-1206791-03-drbd-fix-warning-about-initializing-multiple-struct-.patch + bsc-1206791-04-blk_queue_split__no_present.patch + bsc-1206791-05-prandom_u32_max.patch + bsc-1206791-06-write_zeroes__no_capable.patch + bsc-1206791-07-drbd-fix-use-after-free-bugs-in-get_initial_state.patch + bsc-1206791-08-lib-lru_cache-Fixed-array-overflow-caused-by-incorre.patch + bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch OBS-URL: https://build.opensuse.org/request/show/1056192 OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/drbd?expand=0&rev=142 2023-01-05 13:24:33 +00:00			`From c2a620949ed609d6e256d1ce4d671a6da6bfeac0 Mon Sep 17 00:00:00 2001`
			`From: John Sanpe <sanpeqf@gmail.com>`
			`Date: Sat, 23 Jul 2022 09:59:31 +0200`
			`Subject: [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect`
			`boundary handling.`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`This problem occurs when malloc element failed on the first time.`
			`At this time, the counter i is 0. When it's released, we subtract 1`
			`in advance without checking, which will cause i to become UINT_MAX,`
			`resulting in array overflow.`

			`Signed-off-by: John Sanpe <sanpeqf@gmail.com>`
			`Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>`
			`---`
			`drbd/lru_cache.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/drbd/lru_cache.c b/drbd/lru_cache.c`
			`index 7e604cdc87db..fc640490607a 100644`
			`--- a/drbd/lru_cache.c`
			`+++ b/drbd/lru_cache.c`
			`@@ -127,7 +127,7 @@ struct lru_cache lc_create(const char name, struct kmem_cache *cache,`
			`return lc;`

			`/* else: could not allocate all elements, give up */`
			`- for (i--; i; i--) {`
			`+ while (i--) {`
			`void *p = element[i];`
			`kmem_cache_free(cache, (unsigned char *)p - e_off);`
			`}`
			`--`
			`2.26.2`