public inbox for [email protected]
 help / color / mirror / Atom feed
* [PATCH 5.12] io_uring: reg buffer overflow checks hardening
@ 2021-03-24 14:40 Pavel Begunkov
  2021-03-24 14:55 ` Jens Axboe
  0 siblings, 1 reply; 3+ messages in thread
From: Pavel Begunkov @ 2021-03-24 14:40 UTC (permalink / raw)
  To: Jens Axboe, io-uring

We are safe with overflows in io_sqe_buffer_register() because it will
only yield allocation failure, but it's nicer to check explicitly.

Signed-off-by: Pavel Begunkov <[email protected]>
---
 fs/io_uring.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index f3ae83a2d7bc..c33c2eb2a131 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8306,6 +8306,8 @@ static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
 
 static int io_buffer_validate(struct iovec *iov)
 {
+	u64 tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
+
 	/*
 	 * Don't impose further limits on the size and buffer
 	 * constraints here, we'll -EINVAL later when IO is
@@ -8318,6 +8320,9 @@ static int io_buffer_validate(struct iovec *iov)
 	if (iov->iov_len > SZ_1G)
 		return -EFAULT;
 
+	if (check_add_overflow((u64)iov->iov_base, acct_len, &tmp))
+		return -EOVERFLOW;
+
 	return 0;
 }
 
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-03-24 15:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-24 14:40 [PATCH 5.12] io_uring: reg buffer overflow checks hardening Pavel Begunkov
2021-03-24 14:55 ` Jens Axboe
2021-03-24 15:02   ` Pavel Begunkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox