public inbox for [email protected]
 help / color / mirror / Atom feed
From: Jens Axboe <[email protected]>
To: Pavel Begunkov <[email protected]>, [email protected]
Subject: Re: [PATCH 5.12] io_uring: reg buffer overflow checks hardening
Date: Wed, 24 Mar 2021 08:55:43 -0600	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <41c8fce27c696171e845a6304f87ec06d853c5a6.1616596655.git.asml.silence@gmail.com>

On 3/24/21 8:40 AM, Pavel Begunkov wrote:
> We are safe with overflows in io_sqe_buffer_register() because it will
> only yield allocation failure, but it's nicer to check explicitly.

Right, either that or fault when mapping. So nothing serious here, but
would be nice to clean up though and just explicitly make it return
-EOVERFLOW when that is the case.

> @@ -8306,6 +8306,8 @@ static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
>  
>  static int io_buffer_validate(struct iovec *iov)
>  {
> +	u64 tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
> +

No need for those parens.

>  	/*
>  	 * Don't impose further limits on the size and buffer
>  	 * constraints here, we'll -EINVAL later when IO is
> @@ -8318,6 +8320,9 @@ static int io_buffer_validate(struct iovec *iov)
>  	if (iov->iov_len > SZ_1G)
>  		return -EFAULT;
>  
> +	if (check_add_overflow((u64)iov->iov_base, acct_len, &tmp))
> +		return -EOVERFLOW;
> +

Is this right for 32-bit?

-- 
Jens Axboe


  reply	other threads:[~2021-03-24 14:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-24 14:40 [PATCH 5.12] io_uring: reg buffer overflow checks hardening Pavel Begunkov
2021-03-24 14:55 ` Jens Axboe [this message]
2021-03-24 15:02   ` Pavel Begunkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox