tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring: fix regbuf vector size truncation

There is a report of io_estimate_bvec_size() truncating the calculated
number of segments that leads to corruption issues. Check it doesn't
overflow "int"s used later. Rough but simple, can be improved on top.

Cc: stable@vger.kernel.org
Fixes: 9ef4cbbcb4ac3 ("io_uring: add infra for importing vectored reg buffers")
Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-458654612@google.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Günther Noack <gnoack@google.com>
Tested-by: Günther Noack <gnoack@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Pavel Begunkov and committed by
Jens Axboe 146eb586 1fd53673

+9 -2
+9 -2
io_uring/rsrc.c
··· 1403 1403 size_t max_segs = 0; 1404 1404 unsigned i; 1405 1405 1406 - for (i = 0; i < nr_iovs; i++) 1406 + for (i = 0; i < nr_iovs; i++) { 1407 1407 max_segs += (iov[i].iov_len >> shift) + 2; 1408 + if (max_segs > INT_MAX) 1409 + return -EOVERFLOW; 1410 + } 1408 1411 return max_segs; 1409 1412 } 1410 1413 ··· 1513 1510 if (unlikely(ret)) 1514 1511 return ret; 1515 1512 } else { 1516 - nr_segs = io_estimate_bvec_size(iov, nr_iovs, imu); 1513 + int ret = io_estimate_bvec_size(iov, nr_iovs, imu); 1514 + 1515 + if (ret < 0) 1516 + return ret; 1517 + nr_segs = ret; 1517 1518 } 1518 1519 1519 1520 if (sizeof(struct bio_vec) > sizeof(struct iovec)) {