From d5a993c1d724a5a2ae3c9a7179eedf68afa16f67 Mon Sep 17 00:00:00 2001 From: Matthew Sakai Date: Mon, 2 Feb 2026 21:20:25 -0500 Subject: [PATCH 1/2] dm vdo indexer: validate saved zone count Verify that the loaded zone count is in the valid range before using it as a loop iterator. Signed-off-by: Matthew Sakai --- drivers/md/dm-vdo/indexer/index-layout.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/md/dm-vdo/indexer/index-layout.c b/drivers/md/dm-vdo/indexer/index-layout.c index 61edf2b72427d..37144249f7ba6 100644 --- a/drivers/md/dm-vdo/indexer/index-layout.c +++ b/drivers/md/dm-vdo/indexer/index-layout.c @@ -1445,6 +1445,9 @@ static int __must_check reconstruct_index_save(struct index_save_layout *isl, u64 last_block = next_block + isl->index_save.block_count; isl->zone_count = table->header.region_count - 3; + if (isl->zone_count > MAX_ZONES) + return vdo_log_error_strerror(UDS_CORRUPT_DATA, + "invalid zone count"); last_region = &table->regions[table->header.region_count - 1]; if (last_region->kind == RL_KIND_EMPTY) { From 7d63ba8eb2f2c14ba61554a34ba963810003c79d Mon Sep 17 00:00:00 2001 From: Matthew Sakai Date: Mon, 2 Feb 2026 21:23:26 -0500 Subject: [PATCH 2/2] dm vdo slab-depot: validate old zone count on load Verify the old zone count has a valid value before using it to compute slab summary entry offsets. Signed-off-by: Matthew Sakai --- drivers/md/dm-vdo/slab-depot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/md/dm-vdo/slab-depot.c b/drivers/md/dm-vdo/slab-depot.c index 034ecaa51f481..ad00afc2c168d 100644 --- a/drivers/md/dm-vdo/slab-depot.c +++ b/drivers/md/dm-vdo/slab-depot.c @@ -4262,6 +4262,10 @@ int vdo_decode_slab_depot(struct slab_depot_state_2_0 state, struct vdo *vdo, } slab_size_shift = ilog2(slab_size); + if (state.zone_count > MAX_VDO_PHYSICAL_ZONES) + return vdo_log_error_strerror(UDS_CORRUPT_DATA, + "invalid zone count"); + result = vdo_allocate_extended(struct slab_depot, vdo->thread_config.physical_zone_count, struct block_allocator, __func__, &depot);