forked from Minki/linux
io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers
Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on
that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.
Truncate those lengths when doing io_add_buffers, so buffer addresses still
use the uncapped length.
Also, take the chance and change struct io_buffer len member to __u32, so
it matches struct io_provide_buffer len member.
This fixes CVE-2021-3491, also reported as ZDI-CAN-13546.
Fixes: ddf0322db7
("io_uring: add IORING_OP_PROVIDE_BUFFERS")
Reported-by: Billy Jheng Bing-Jhong (@st424204)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
bb6659cc0a
commit
d1f8280887
@ -251,7 +251,7 @@ struct io_rsrc_data {
|
|||||||
struct io_buffer {
|
struct io_buffer {
|
||||||
struct list_head list;
|
struct list_head list;
|
||||||
__u64 addr;
|
__u64 addr;
|
||||||
__s32 len;
|
__u32 len;
|
||||||
__u16 bid;
|
__u16 bid;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -3986,7 +3986,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
buf->addr = addr;
|
buf->addr = addr;
|
||||||
buf->len = pbuf->len;
|
buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
|
||||||
buf->bid = bid;
|
buf->bid = bid;
|
||||||
addr += pbuf->len;
|
addr += pbuf->len;
|
||||||
bid++;
|
bid++;
|
||||||
|
Loading…
Reference in New Issue
Block a user