mirror of
https://github.com/torvalds/linux.git
synced 2024-11-25 21:51:40 +00:00
io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers
Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on
that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.
Truncate those lengths when doing io_add_buffers, so buffer addresses still
use the uncapped length.
Also, take the chance and change struct io_buffer len member to __u32, so
it matches struct io_provide_buffer len member.
This fixes CVE-2021-3491, also reported as ZDI-CAN-13546.
Fixes: ddf0322db7
("io_uring: add IORING_OP_PROVIDE_BUFFERS")
Reported-by: Billy Jheng Bing-Jhong (@st424204)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
bb6659cc0a
commit
d1f8280887
@ -251,7 +251,7 @@ struct io_rsrc_data {
|
||||
struct io_buffer {
|
||||
struct list_head list;
|
||||
__u64 addr;
|
||||
__s32 len;
|
||||
__u32 len;
|
||||
__u16 bid;
|
||||
};
|
||||
|
||||
@ -3986,7 +3986,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
|
||||
break;
|
||||
|
||||
buf->addr = addr;
|
||||
buf->len = pbuf->len;
|
||||
buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
|
||||
buf->bid = bid;
|
||||
addr += pbuf->len;
|
||||
bid++;
|
||||
|
Loading…
Reference in New Issue
Block a user