[PATCH] io_uring: fix provide_buffers sign extension

public inbox for [email protected]
 help / color / mirror / Atom feed

* [PATCH] io_uring: fix provide_buffers sign extension
@ 2021-03-19 10:21 Pavel Begunkov
  2021-03-19 10:31 ` Colin Ian King
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Pavel Begunkov @ 2021-03-19 10:21 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: Colin Ian King

io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
problems. Not a huge problem as it's only used for access_ok() and
increases the checked length, but better to keep typing right.

Reported-by: Colin Ian King <[email protected]>
Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
Signed-off-by: Pavel Begunkov <[email protected]>
---
 fs/io_uring.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index c2489b463eb9..4f1c98502a09 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
 static int io_provide_buffers_prep(struct io_kiocb *req,
 				   const struct io_uring_sqe *sqe)
 {
+	unsigned long size;
 	struct io_provide_buf *p = &req->pbuf;
 	u64 tmp;
 
@@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
 	p->addr = READ_ONCE(sqe->addr);
 	p->len = READ_ONCE(sqe->len);
 
-	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
+	size = (unsigned long)p->len * p->nbufs;
+	if (!access_ok(u64_to_user_ptr(p->addr), size))
 		return -EFAULT;
 
 	p->bgid = READ_ONCE(sqe->buf_group);
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] io_uring: fix provide_buffers sign extension
  2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
@ 2021-03-19 10:31 ` Colin Ian King
  2021-03-19 10:34   ` Pavel Begunkov
  2021-03-22  1:47 ` Pavel Begunkov
  2021-03-22 13:41 ` Jens Axboe
  2 siblings, 1 reply; 6+ messages in thread
From: Colin Ian King @ 2021-03-19 10:31 UTC (permalink / raw)
  To: Pavel Begunkov, Jens Axboe, io-uring

On 19/03/2021 10:21, Pavel Begunkov wrote:
> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
> problems. Not a huge problem as it's only used for access_ok() and
> increases the checked length, but better to keep typing right.
> 
> Reported-by: Colin Ian King <[email protected]>
> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
> Signed-off-by: Pavel Begunkov <[email protected]>
> ---
>  fs/io_uring.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index c2489b463eb9..4f1c98502a09 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>  static int io_provide_buffers_prep(struct io_kiocb *req,
>  				   const struct io_uring_sqe *sqe)
>  {
> +	unsigned long size;
>  	struct io_provide_buf *p = &req->pbuf;
>  	u64 tmp;
>  
> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>  	p->addr = READ_ONCE(sqe->addr);
>  	p->len = READ_ONCE(sqe->len);
>  
> -	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
> +	size = (unsigned long)p->len * p->nbufs;
> +	if (!access_ok(u64_to_user_ptr(p->addr), size))
>  		return -EFAULT;
>  
>  	p->bgid = READ_ONCE(sqe->buf_group);
> 

Does it make sense to make size a u64 and cast to a u64 rather than
unsigned long?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] io_uring: fix provide_buffers sign extension
  2021-03-19 10:31 ` Colin Ian King
@ 2021-03-19 10:34   ` Pavel Begunkov
  2021-03-19 10:39     ` Colin Ian King
  0 siblings, 1 reply; 6+ messages in thread
From: Pavel Begunkov @ 2021-03-19 10:34 UTC (permalink / raw)
  To: Colin Ian King, Jens Axboe, io-uring

On 19/03/2021 10:31, Colin Ian King wrote:
> On 19/03/2021 10:21, Pavel Begunkov wrote:
>> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
>> problems. Not a huge problem as it's only used for access_ok() and
>> increases the checked length, but better to keep typing right.
>>
>> Reported-by: Colin Ian King <[email protected]>
>> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
>> Signed-off-by: Pavel Begunkov <[email protected]>
>> ---
>>  fs/io_uring.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>> index c2489b463eb9..4f1c98502a09 100644
>> --- a/fs/io_uring.c
>> +++ b/fs/io_uring.c
>> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>>  static int io_provide_buffers_prep(struct io_kiocb *req,
>>  				   const struct io_uring_sqe *sqe)
>>  {
>> +	unsigned long size;
>>  	struct io_provide_buf *p = &req->pbuf;
>>  	u64 tmp;
>>  
>> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>>  	p->addr = READ_ONCE(sqe->addr);
>>  	p->len = READ_ONCE(sqe->len);
>>  
>> -	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
>> +	size = (unsigned long)p->len * p->nbufs;
>> +	if (!access_ok(u64_to_user_ptr(p->addr), size))
>>  		return -EFAULT;
>>  
>>  	p->bgid = READ_ONCE(sqe->buf_group);
>>
> 
> Does it make sense to make size a u64 and cast to a u64 rather than
> unsigned long?

static inline int __access_ok(unsigned long addr, unsigned long size)
{
	return 1;
}

Not sure. I was thinking about size_t, but ended up sticking
to access_ok types.

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] io_uring: fix provide_buffers sign extension
  2021-03-19 10:34   ` Pavel Begunkov
@ 2021-03-19 10:39     ` Colin Ian King
  0 siblings, 0 replies; 6+ messages in thread
From: Colin Ian King @ 2021-03-19 10:39 UTC (permalink / raw)
  To: Pavel Begunkov, Jens Axboe, io-uring

On 19/03/2021 10:34, Pavel Begunkov wrote:
> On 19/03/2021 10:31, Colin Ian King wrote:
>> On 19/03/2021 10:21, Pavel Begunkov wrote:
>>> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
>>> problems. Not a huge problem as it's only used for access_ok() and
>>> increases the checked length, but better to keep typing right.
>>>
>>> Reported-by: Colin Ian King <[email protected]>
>>> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
>>> Signed-off-by: Pavel Begunkov <[email protected]>
>>> ---
>>>  fs/io_uring.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>> index c2489b463eb9..4f1c98502a09 100644
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>>>  static int io_provide_buffers_prep(struct io_kiocb *req,
>>>  				   const struct io_uring_sqe *sqe)
>>>  {
>>> +	unsigned long size;
>>>  	struct io_provide_buf *p = &req->pbuf;
>>>  	u64 tmp;
>>>  
>>> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>>>  	p->addr = READ_ONCE(sqe->addr);
>>>  	p->len = READ_ONCE(sqe->len);
>>>  
>>> -	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
>>> +	size = (unsigned long)p->len * p->nbufs;
>>> +	if (!access_ok(u64_to_user_ptr(p->addr), size))
>>>  		return -EFAULT;
>>>  
>>>  	p->bgid = READ_ONCE(sqe->buf_group);
>>>
>>
>> Does it make sense to make size a u64 and cast to a u64 rather than
>> unsigned long?
> 
> static inline int __access_ok(unsigned long addr, unsigned long size)
> {
> 	return 1;
> }
> 
> Not sure. I was thinking about size_t, but ended up sticking
> to access_ok types.
> 
Ah, yep. OK.

Reviewed-by: Colin Ian King <[email protected]>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] io_uring: fix provide_buffers sign extension
  2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
  2021-03-19 10:31 ` Colin Ian King
@ 2021-03-22  1:47 ` Pavel Begunkov
  2021-03-22 13:41 ` Jens Axboe
  2 siblings, 0 replies; 6+ messages in thread
From: Pavel Begunkov @ 2021-03-22  1:47 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: Colin Ian King

On 19/03/2021 10:21, Pavel Begunkov wrote:
> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
> problems. Not a huge problem as it's only used for access_ok() and
> increases the checked length, but better to keep typing right.

Forgot to mention, I suggest it for 5.12, simple enough and
may be a problem for userspace in some rare cases.


> Reported-by: Colin Ian King <[email protected]>
> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
> Signed-off-by: Pavel Begunkov <[email protected]>
> ---
>  fs/io_uring.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index c2489b463eb9..4f1c98502a09 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>  static int io_provide_buffers_prep(struct io_kiocb *req,
>  				   const struct io_uring_sqe *sqe)
>  {
> +	unsigned long size;
>  	struct io_provide_buf *p = &req->pbuf;
>  	u64 tmp;
>  
> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>  	p->addr = READ_ONCE(sqe->addr);
>  	p->len = READ_ONCE(sqe->len);
>  
> -	if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
> +	size = (unsigned long)p->len * p->nbufs;
> +	if (!access_ok(u64_to_user_ptr(p->addr), size))
>  		return -EFAULT;
>  
>  	p->bgid = READ_ONCE(sqe->buf_group);
> 

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] io_uring: fix provide_buffers sign extension
  2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
  2021-03-19 10:31 ` Colin Ian King
  2021-03-22  1:47 ` Pavel Begunkov
@ 2021-03-22 13:41 ` Jens Axboe
  2 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2021-03-22 13:41 UTC (permalink / raw)
  To: Pavel Begunkov, io-uring; +Cc: Colin Ian King

On 3/19/21 4:21 AM, Pavel Begunkov wrote:
> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
> problems. Not a huge problem as it's only used for access_ok() and
> increases the checked length, but better to keep typing right.

Applied, thanks.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-03-22 13:42 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
2021-03-19 10:31 ` Colin Ian King
2021-03-19 10:34   ` Pavel Begunkov
2021-03-19 10:39     ` Colin Ian King
2021-03-22  1:47 ` Pavel Begunkov
2021-03-22 13:41 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox