buffer overflow in io_sq

public inbox for [email protected]
 help / color / mirror / Atom feed

* buffer overflow in io_sq_thread()
@ 2021-03-31 20:24 Alexey Dobriyan
  2021-04-01  8:51 ` Pavel Begunkov
  0 siblings, 1 reply; 3+ messages in thread
From: Alexey Dobriyan @ 2021-03-31 20:24 UTC (permalink / raw)
  To: axboe; +Cc: asml.silence, io-uring

The code below will overflow because TASK_COMM_LEN is 16 but PID can be
as large as 1 billion which is 10 digit number.

Currently not even Fedora ships pid_max that large but still...

	Alexey

static int io_sq_thread(void *data)
{
        struct io_sq_data *sqd = data;
        struct io_ring_ctx *ctx;
        unsigned long timeout = 0;
        char buf[TASK_COMM_LEN];
        DEFINE_WAIT(wait);

        sprintf(buf, "iou-sqp-%d", sqd->task_pid);

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: buffer overflow in io_sq_thread()
  2021-03-31 20:24 buffer overflow in io_sq_thread() Alexey Dobriyan
@ 2021-04-01  8:51 ` Pavel Begunkov
  2021-04-01 15:09   ` Stefan Metzmacher
  0 siblings, 1 reply; 3+ messages in thread
From: Pavel Begunkov @ 2021-04-01  8:51 UTC (permalink / raw)
  To: Alexey Dobriyan, axboe; +Cc: io-uring

On 31/03/2021 21:24, Alexey Dobriyan wrote:
> The code below will overflow because TASK_COMM_LEN is 16 but PID can be
> as large as 1 billion which is 10 digit number.
> 
> Currently not even Fedora ships pid_max that large but still...

And is safer limited in any case. Thanks

> 
> 	Alexey
> 
> static int io_sq_thread(void *data)
> {
>         struct io_sq_data *sqd = data;
>         struct io_ring_ctx *ctx;
>         unsigned long timeout = 0;
>         char buf[TASK_COMM_LEN];
>         DEFINE_WAIT(wait);
> 
>         sprintf(buf, "iou-sqp-%d", sqd->task_pid);
> 

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: buffer overflow in io_sq_thread()
  2021-04-01  8:51 ` Pavel Begunkov
@ 2021-04-01 15:09   ` Stefan Metzmacher
  0 siblings, 0 replies; 3+ messages in thread
From: Stefan Metzmacher @ 2021-04-01 15:09 UTC (permalink / raw)
  To: Pavel Begunkov, Alexey Dobriyan, axboe; +Cc: io-uring

Am 01.04.21 um 10:51 schrieb Pavel Begunkov:
> On 31/03/2021 21:24, Alexey Dobriyan wrote:
>> The code below will overflow because TASK_COMM_LEN is 16 but PID can be
>> as large as 1 billion which is 10 digit number.
>>
>> Currently not even Fedora ships pid_max that large but still...
> 
> And is safer limited in any case. Thanks
> 
>>
>> 	Alexey
>>
>> static int io_sq_thread(void *data)
>> {
>>         struct io_sq_data *sqd = data;
>>         struct io_ring_ctx *ctx;
>>         unsigned long timeout = 0;
>>         char buf[TASK_COMM_LEN];
>>         DEFINE_WAIT(wait);
>>
>>         sprintf(buf, "iou-sqp-%d", sqd->task_pid);

I have patches for this see
https://lore.kernel.org/io-uring/[email protected]/T/#m9a9707c76e0ca73b54676b5d0fe198587b36c1b4

As there's no urgent problem in 5.12 I'll repost them for 5.13...

metze


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-04-01 18:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-31 20:24 buffer overflow in io_sq_thread() Alexey Dobriyan
2021-04-01  8:51 ` Pavel Begunkov
2021-04-01 15:09   ` Stefan Metzmacher

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox