It is not sufficient to have a comment /* Sanity check the size. */,

also check the size is greater than zero and a multiple of DEV_BSIZE. Reported-by: syzbot+318187e5124846542f8d@syzkaller.appspotmail.com
2023-01-13 15:46:40 +00:00 · 2023-01-13 15:46:40 +00:00 · 9e1aa1e4ed
parent 2f8ed368a1
commit 9e1aa1e4ed
1 changed files with 7 additions and 4 deletions
--- a/sys/dev/md.c
+++ b/sys/dev/md.c
@ -1,4 +1,4 @@
-/*	$NetBSD: md.c,v 1.86 2022/09/24 23:20:13 thorpej Exp $	*/
+/*	$NetBSD: md.c,v 1.87 2023/01/13 15:46:40 hannken Exp $	*/

 /*
 * Copyright (c) 1995 Gordon W. Ross, Leo Weppelman.
@ -40,7 +40,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: md.c,v 1.86 2022/09/24 23:20:13 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: md.c,v 1.87 2023/01/13 15:46:40 hannken Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_md.h"
@ -589,10 +589,13 @@ md_ioctl_kalloc(struct md_softc *sc, struct md_conf *umd,
 	vaddr_t addr;
 	vsize_t size;

-	mutex_exit(&sc->sc_lock);
-
 	/* Sanity check the size. */
 	size = umd->md_size;
+	if (size < DEV_BSIZE || (size % DEV_BSIZE) != 0)
+		return EINVAL;
+
+	mutex_exit(&sc->sc_lock);
+
 	addr = uvm_km_alloc(kernel_map, size, 0, UVM_KMF_WIRED|UVM_KMF_ZERO);

 	mutex_enter(&sc->sc_lock);