Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
io_uring/fdinfo: validate opcode before checking if it's an 128b one
The mixed SQE support assumes that userspace always passes valid data,
that is not the case. Validate the opcode properly before indexing
the io_issue_defs[] array, and pass it through the nospec indexing
as well as it's a user valid indexing a kernel array.
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Reported-by: syzbot+b883b008a0b1067d5833@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
+4
+4
io_uring/fdinfo.c
+4
io_uring/fdinfo.c
···
5
5
#include <linux/file.h>
6
6
#include <linux/proc_fs.h>
7
7
#include <linux/seq_file.h>
8
+
#include <linux/nospec.h>
8
9
#include <linux/io_uring.h>
9
10
10
11
#include <uapi/linux/io_uring.h>
···
108
107
109
108
sqe = &ctx->sq_sqes[sq_idx << sq_shift];
110
109
opcode = READ_ONCE(sqe->opcode);
110
+
if (opcode >= IORING_OP_LAST)
111
+
continue;
112
+
opcode = array_index_nospec(opcode, IORING_OP_LAST);
111
113
if (sq_shift) {
112
114
sqe128 = true;
113
115
} else if (io_issue_defs[opcode].is_128) {