public inbox for [email protected]
 help / color / mirror / Atom feed
From: Colin Ian King <[email protected]>
To: Pavel Begunkov <[email protected]>,
	Jens Axboe <[email protected]>,
	[email protected]
Subject: Re: [PATCH] io_uring: fix provide_buffers sign extension
Date: Fri, 19 Mar 2021 10:39:53 +0000	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>

On 19/03/2021 10:34, Pavel Begunkov wrote:
> On 19/03/2021 10:31, Colin Ian King wrote:
>> On 19/03/2021 10:21, Pavel Begunkov wrote:
>>> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
>>> problems. Not a huge problem as it's only used for access_ok() and
>>> increases the checked length, but better to keep typing right.
>>>
>>> Reported-by: Colin Ian King <[email protected]>
>>> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
>>> Signed-off-by: Pavel Begunkov <[email protected]>
>>> ---
>>>  fs/io_uring.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>> index c2489b463eb9..4f1c98502a09 100644
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>>>  static int io_provide_buffers_prep(struct io_kiocb *req,
>>>  				   const struct io_uring_sqe *sqe)
>>>  {
>>> +	unsigned long size;
>>>  	struct io_provide_buf *p = &req->pbuf;
>>>  	u64 tmp;
>>>  
>>> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>>>  	p->addr = READ_ONCE(sqe->addr);
>>>  	p->len = READ_ONCE(sqe->len);
>>>  
>>> -	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
>>> +	size = (unsigned long)p->len * p->nbufs;
>>> +	if (!access_ok(u64_to_user_ptr(p->addr), size))
>>>  		return -EFAULT;
>>>  
>>>  	p->bgid = READ_ONCE(sqe->buf_group);
>>>
>>
>> Does it make sense to make size a u64 and cast to a u64 rather than
>> unsigned long?
> 
> static inline int __access_ok(unsigned long addr, unsigned long size)
> {
> 	return 1;
> }
> 
> Not sure. I was thinking about size_t, but ended up sticking
> to access_ok types.
> 
Ah, yep. OK.

Reviewed-by: Colin Ian King <[email protected]>

  reply	other threads:[~2021-03-19 10:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
2021-03-19 10:31 ` Colin Ian King
2021-03-19 10:34   ` Pavel Begunkov
2021-03-19 10:39     ` Colin Ian King [this message]
2021-03-22  1:47 ` Pavel Begunkov
2021-03-22 13:41 ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox