* [PATCH] io_uring: check for rollover of buffer ID when providing buffers
@ 2022-11-10 17:55 Jens Axboe
2022-11-10 18:08 ` Jens Axboe
0 siblings, 1 reply; 2+ messages in thread
From: Jens Axboe @ 2022-11-10 17:55 UTC (permalink / raw)
To: io-uring; +Cc: Olivier Langlois
We already check if the chosen starting offset for the buffer IDs fit
within an unsigned short, as 65535 is the maximum value for a provided
buffer. But if the caller asks to add N buffers at offset M, and M + N
would exceed the size of the unsigned short, we simply add buffers with
wrapping around the ID.
This is not necessarily a bug and could in fact be a valid use case, but
it seems confusing and inconsistent with the initial check for starting
offset. Let's check for wrap consistently, and error the addition if we
do need to wrap.
Reported-by: Oliver Lang <[email protected]>
Link: https://github.com/axboe/liburing/issues/726
Cc: [email protected]
Signed-off-by: Jens Axboe <[email protected]>
---
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 25cd724ade18..e2c46889d5fa 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -346,6 +346,8 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
tmp = READ_ONCE(sqe->off);
if (tmp > USHRT_MAX)
return -E2BIG;
+ if (tmp + p->nbufs >= USHRT_MAX)
+ return -EINVAL;
p->bid = tmp;
return 0;
}
--
Jens Axboe
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] io_uring: check for rollover of buffer ID when providing buffers
2022-11-10 17:55 [PATCH] io_uring: check for rollover of buffer ID when providing buffers Jens Axboe
@ 2022-11-10 18:08 ` Jens Axboe
0 siblings, 0 replies; 2+ messages in thread
From: Jens Axboe @ 2022-11-10 18:08 UTC (permalink / raw)
To: io-uring; +Cc: Olivier Langlois
On 11/10/22 10:55 AM, Jens Axboe wrote:
> We already check if the chosen starting offset for the buffer IDs fit
> within an unsigned short, as 65535 is the maximum value for a provided
> buffer. But if the caller asks to add N buffers at offset M, and M + N
> would exceed the size of the unsigned short, we simply add buffers with
> wrapping around the ID.
>
> This is not necessarily a bug and could in fact be a valid use case, but
> it seems confusing and inconsistent with the initial check for starting
> offset. Let's check for wrap consistently, and error the addition if we
> do need to wrap.
>
> Reported-by: Oliver Lang <[email protected]>
Sorry, that was the wrong email, I have updated the commit locally.
--
Jens Axboe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-10 18:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-10 17:55 [PATCH] io_uring: check for rollover of buffer ID when providing buffers Jens Axboe
2022-11-10 18:08 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox