* [PATCH 0/1] io_uring: validate the full range of provided buffers for access
@ 2020-06-05 1:01 Bijan Mottahedeh
2020-06-05 1:01 ` [PATCH 1/1] " Bijan Mottahedeh
2020-06-05 1:33 ` [PATCH 0/1] " Jens Axboe
0 siblings, 2 replies; 3+ messages in thread
From: Bijan Mottahedeh @ 2020-06-05 1:01 UTC (permalink / raw)
To: axboe; +Cc: io-uring
I hard coded (user_max_address() - PAGESIZE) as the start address
in liburing/test/read-write.c:test_buf_select() and provided two buffers
of PAGESIZE each. Without the patch, io_uring_prep_provide_buffers()
succeeds but the subsequent __test_io() obviously fails with -EFAULT.
With the patch, io_uring_prep_provide_buffers() fails with -EFAULT.
I think this would be a good test case to add but I'm not sure what
would be a generic way to implement it.
Bijan Mottahedeh (1):
io_uring: validate the full range of provided buffers for access
fs/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] io_uring: validate the full range of provided buffers for access
2020-06-05 1:01 [PATCH 0/1] io_uring: validate the full range of provided buffers for access Bijan Mottahedeh
@ 2020-06-05 1:01 ` Bijan Mottahedeh
2020-06-05 1:33 ` [PATCH 0/1] " Jens Axboe
1 sibling, 0 replies; 3+ messages in thread
From: Bijan Mottahedeh @ 2020-06-05 1:01 UTC (permalink / raw)
To: axboe; +Cc: io-uring
Account for the number of provided buffers when validating the address
range.
Signed-off-by: Bijan Mottahedeh <[email protected]>
---
fs/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index bb25e39..c64ea37 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3116,7 +3116,7 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
p->addr = READ_ONCE(sqe->addr);
p->len = READ_ONCE(sqe->len);
- if (!access_ok(u64_to_user_ptr(p->addr), p->len))
+ if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
return -EFAULT;
p->bgid = READ_ONCE(sqe->buf_group);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 0/1] io_uring: validate the full range of provided buffers for access
2020-06-05 1:01 [PATCH 0/1] io_uring: validate the full range of provided buffers for access Bijan Mottahedeh
2020-06-05 1:01 ` [PATCH 1/1] " Bijan Mottahedeh
@ 2020-06-05 1:33 ` Jens Axboe
1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2020-06-05 1:33 UTC (permalink / raw)
To: Bijan Mottahedeh; +Cc: io-uring
On 6/4/20 7:01 PM, Bijan Mottahedeh wrote:
> I hard coded (user_max_address() - PAGESIZE) as the start address
> in liburing/test/read-write.c:test_buf_select() and provided two buffers
> of PAGESIZE each. Without the patch, io_uring_prep_provide_buffers()
> succeeds but the subsequent __test_io() obviously fails with -EFAULT.
> With the patch, io_uring_prep_provide_buffers() fails with -EFAULT.
> I think this would be a good test case to add but I'm not sure what
> would be a generic way to implement it.
Thanks, looks good to me. Applied for 5.8.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-05 1:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-05 1:01 [PATCH 0/1] io_uring: validate the full range of provided buffers for access Bijan Mottahedeh
2020-06-05 1:01 ` [PATCH 1/1] " Bijan Mottahedeh
2020-06-05 1:33 ` [PATCH 0/1] " Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox