Commit 38134ada authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: fix overflows checks in provide buffers

Colin reported before possible overflow and sign extension problems in
io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing
useful, see d81269fe ("io_uring: fix provide_buffers sign extension").

Do that with help of check_<op>_overflow helpers. And fix struct
io_provide_buf::len type, as it doesn't make much sense to keep it
signed.
Reported-by: default avatarColin Ian King <colin.king@canonical.com>
Fixes: efe68c1c ("io_uring: validate the full range of provided buffers for access")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/46538827e70fce5f6cdb50897cff4cacc490f380.1618488258.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent c82d5bc7
...@@ -626,7 +626,7 @@ struct io_splice { ...@@ -626,7 +626,7 @@ struct io_splice {
struct io_provide_buf { struct io_provide_buf {
struct file *file; struct file *file;
__u64 addr; __u64 addr;
__s32 len; __u32 len;
__u32 bgid; __u32 bgid;
__u16 nbufs; __u16 nbufs;
__u16 bid; __u16 bid;
...@@ -3918,7 +3918,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags) ...@@ -3918,7 +3918,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
static int io_provide_buffers_prep(struct io_kiocb *req, static int io_provide_buffers_prep(struct io_kiocb *req,
const struct io_uring_sqe *sqe) const struct io_uring_sqe *sqe)
{ {
unsigned long size; unsigned long size, tmp_check;
struct io_provide_buf *p = &req->pbuf; struct io_provide_buf *p = &req->pbuf;
u64 tmp; u64 tmp;
...@@ -3932,6 +3932,12 @@ static int io_provide_buffers_prep(struct io_kiocb *req, ...@@ -3932,6 +3932,12 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
p->addr = READ_ONCE(sqe->addr); p->addr = READ_ONCE(sqe->addr);
p->len = READ_ONCE(sqe->len); p->len = READ_ONCE(sqe->len);
if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
&size))
return -EOVERFLOW;
if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
return -EOVERFLOW;
size = (unsigned long)p->len * p->nbufs; size = (unsigned long)p->len * p->nbufs;
if (!access_ok(u64_to_user_ptr(p->addr), size)) if (!access_ok(u64_to_user_ptr(p->addr), size))
return -EFAULT; return -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment