AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Reported-by: Ben Hawkes <hawkes@google.com> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Tested-by: Willy Tarreau <w@1wt.eu> [backported to 3.10 - willy] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

AIO: properly check iovec sizes
In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Reported-by: Ben Hawkes <hawkes@google.com> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Tested-by: Willy Tarreau <w@1wt.eu> [backported to 3.10 - willy] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ff19ac8f · Greg Kroah-Hartman · 8355335f · ff19ac8f
Commit ff19ac8f authored Feb 19, 2016 by Greg Kroah-Hartman
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

fs/aio.c fs/aio.c +8 -3

No files found.
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
 {
-	if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
+	size_t len = kiocb->ki_nbytes;
-		return -EFAULT;
+	if (len > MAX_RW_COUNT)
+		len = MAX_RW_COUNT;
+	if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
+                return -EFAULT;
 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-	kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
+	kiocb->ki_iovec->iov_len = len;
 	kiocb->ki_nr_segs = 1;
 	return 0;
 }