* [PATCH v2] io_uring: reg buffer overflow checks hardening
@ 2021-03-24 22:59 Pavel Begunkov
2021-03-25 19:17 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Begunkov @ 2021-03-24 22:59 UTC (permalink / raw)
To: Jens Axboe, io-uring
We are safe with overflows in io_sqe_buffer_register() because it will
just yield alloc failure, but it's nicer to check explicitly.
v2: replace u64 with ulong to handle 32 bit and match
io_sqe_buffer_register() math. (Jens)
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f3ae83a2d7bc..f1a3dea05221 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8306,6 +8306,8 @@ static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
static int io_buffer_validate(struct iovec *iov)
{
+ unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
+
/*
* Don't impose further limits on the size and buffer
* constraints here, we'll -EINVAL later when IO is
@@ -8318,6 +8320,9 @@ static int io_buffer_validate(struct iovec *iov)
if (iov->iov_len > SZ_1G)
return -EFAULT;
+ if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
+ return -EOVERFLOW;
+
return 0;
}
--
2.24.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] io_uring: reg buffer overflow checks hardening
2021-03-25 19:17 ` Jens Axboe
@ 2021-03-25 19:15 ` Pavel Begunkov
0 siblings, 0 replies; 3+ messages in thread
From: Pavel Begunkov @ 2021-03-25 19:15 UTC (permalink / raw)
To: Jens Axboe, io-uring
On 25/03/2021 19:17, Jens Axboe wrote:
> On 3/24/21 4:59 PM, Pavel Begunkov wrote:
>> We are safe with overflows in io_sqe_buffer_register() because it will
>> just yield alloc failure, but it's nicer to check explicitly.
>>
>> v2: replace u64 with ulong to handle 32 bit and match
>> io_sqe_buffer_register() math. (Jens)
>
> Applied for 5.13 - btw, and I think that was an oversight on this one,
> just put the version stuff below the '---' as it should not go into
> the git log.
right, thanks!
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] io_uring: reg buffer overflow checks hardening
2021-03-24 22:59 [PATCH v2] io_uring: reg buffer overflow checks hardening Pavel Begunkov
@ 2021-03-25 19:17 ` Jens Axboe
2021-03-25 19:15 ` Pavel Begunkov
0 siblings, 1 reply; 3+ messages in thread
From: Jens Axboe @ 2021-03-25 19:17 UTC (permalink / raw)
To: Pavel Begunkov, io-uring
On 3/24/21 4:59 PM, Pavel Begunkov wrote:
> We are safe with overflows in io_sqe_buffer_register() because it will
> just yield alloc failure, but it's nicer to check explicitly.
>
> v2: replace u64 with ulong to handle 32 bit and match
> io_sqe_buffer_register() math. (Jens)
Applied for 5.13 - btw, and I think that was an oversight on this one,
just put the version stuff below the '---' as it should not go into
the git log.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-25 19:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-24 22:59 [PATCH v2] io_uring: reg buffer overflow checks hardening Pavel Begunkov
2021-03-25 19:17 ` Jens Axboe
2021-03-25 19:15 ` Pavel Begunkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox