* [PATCH 1/2] io_uring: fix overflows checks in provide buffers
2021-04-15 12:07 [PATCH 0/2] two small patches Pavel Begunkov
@ 2021-04-15 12:07 ` Pavel Begunkov
2021-04-15 12:07 ` [PATCH 2/2] io_uring: check register restriction afore quiesce Pavel Begunkov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2021-04-15 12:07 UTC (permalink / raw)
To: Jens Axboe, io-uring; +Cc: Colin Ian King
Colin reported before possible overflow and sign extension problems in
io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing
useful, see d81269fecb8ce ("io_uring: fix provide_buffers sign extension").
Do that with help of check_<op>_overflow helpers. And fix struct
io_provide_buf::len type, as it doesn't make much sense to keep it
signed.
Reported-by: Colin Ian King <[email protected]>
Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e9d60dee075e..b57994443b2c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -627,7 +627,7 @@ struct io_splice {
struct io_provide_buf {
struct file *file;
__u64 addr;
- __s32 len;
+ __u32 len;
__u32 bgid;
__u16 nbufs;
__u16 bid;
@@ -3923,7 +3923,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
static int io_provide_buffers_prep(struct io_kiocb *req,
const struct io_uring_sqe *sqe)
{
- unsigned long size;
+ unsigned long size, tmp_check;
struct io_provide_buf *p = &req->pbuf;
u64 tmp;
@@ -3937,6 +3937,12 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
p->addr = READ_ONCE(sqe->addr);
p->len = READ_ONCE(sqe->len);
+ if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
+ &size))
+ return -EOVERFLOW;
+ if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
+ return -EOVERFLOW;
+
size = (unsigned long)p->len * p->nbufs;
if (!access_ok(u64_to_user_ptr(p->addr), size))
return -EFAULT;
--
2.24.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] io_uring: check register restriction afore quiesce
2021-04-15 12:07 [PATCH 0/2] two small patches Pavel Begunkov
2021-04-15 12:07 ` [PATCH 1/2] io_uring: fix overflows checks in provide buffers Pavel Begunkov
@ 2021-04-15 12:07 ` Pavel Begunkov
2021-04-16 23:34 ` [PATCH 0/2] two small patches Pavel Begunkov
2021-04-17 14:29 ` Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2021-04-15 12:07 UTC (permalink / raw)
To: Jens Axboe, io-uring
Move restriction checks of __io_uring_register() before quiesce, saves
from waiting for requests in fail case and simplifies the code a bit.
Also add array_index_nospec() for safety
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index b57994443b2c..357993e3e0d2 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9764,6 +9764,14 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
if (percpu_ref_is_dying(&ctx->refs))
return -ENXIO;
+ if (ctx->restricted) {
+ if (opcode >= IORING_REGISTER_LAST)
+ return -EINVAL;
+ opcode = array_index_nospec(opcode, IORING_REGISTER_LAST);
+ if (!test_bit(opcode, ctx->restrictions.register_op))
+ return -EACCES;
+ }
+
if (io_register_op_must_quiesce(opcode)) {
percpu_ref_kill(&ctx->refs);
@@ -9792,18 +9800,6 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
}
}
- if (ctx->restricted) {
- if (opcode >= IORING_REGISTER_LAST) {
- ret = -EINVAL;
- goto out;
- }
-
- if (!test_bit(opcode, ctx->restrictions.register_op)) {
- ret = -EACCES;
- goto out;
- }
- }
-
switch (opcode) {
case IORING_REGISTER_BUFFERS:
ret = io_sqe_buffers_register(ctx, arg, nr_args);
@@ -9877,7 +9873,6 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
break;
}
-out:
if (io_register_op_must_quiesce(opcode)) {
/* bring the ctx back to life */
percpu_ref_reinit(&ctx->refs);
--
2.24.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] two small patches
2021-04-15 12:07 [PATCH 0/2] two small patches Pavel Begunkov
2021-04-15 12:07 ` [PATCH 1/2] io_uring: fix overflows checks in provide buffers Pavel Begunkov
2021-04-15 12:07 ` [PATCH 2/2] io_uring: check register restriction afore quiesce Pavel Begunkov
@ 2021-04-16 23:34 ` Pavel Begunkov
2021-04-17 14:29 ` Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2021-04-16 23:34 UTC (permalink / raw)
To: Jens Axboe, io-uring
On 15/04/2021 13:07, Pavel Begunkov wrote:
> Small patches improving userspace values handling.
imho, those are good for 5.13, as well as look small and clean
>
> Pavel Begunkov (2):
> io_uring: fix overflows checks in provide buffers
> io_uring: check register restriction afore quiesce
>
> fs/io_uring.c | 31 ++++++++++++++++---------------
> 1 file changed, 16 insertions(+), 15 deletions(-)
>
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] two small patches
2021-04-15 12:07 [PATCH 0/2] two small patches Pavel Begunkov
` (2 preceding siblings ...)
2021-04-16 23:34 ` [PATCH 0/2] two small patches Pavel Begunkov
@ 2021-04-17 14:29 ` Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2021-04-17 14:29 UTC (permalink / raw)
To: Pavel Begunkov, io-uring
On 4/15/21 6:07 AM, Pavel Begunkov wrote:
> Small patches improving userspace values handling.
>
> Pavel Begunkov (2):
> io_uring: fix overflows checks in provide buffers
> io_uring: check register restriction afore quiesce
>
> fs/io_uring.c | 31 ++++++++++++++++---------------
> 1 file changed, 16 insertions(+), 15 deletions(-)
Applied, thanks.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread