Commit 38134ada authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix overflows checks in provide buffers 



Colin reported before possible overflow and sign extension problems in
io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing
useful, see d81269fe ("io_uring: fix provide_buffers sign extension").

Do that with help of check_<op>_overflow helpers. And fix struct
io_provide_buf::len type, as it doesn't make much sense to keep it
signed.

Reported-by: default avatarColin Ian King <colin.king@canonical.com>
Fixes: efe68c1c ("io_uring: validate the full range of provided buffers for access")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/46538827e70fce5f6cdb50897cff4cacc490f380.1618488258.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent c82d5bc7

fs/io_uring.c

+8 −2
Original line number Diff line number Diff line
@@ -626,7 +626,7 @@ struct io_splice { 
struct io_provide_buf {

	struct file			*file;

	__u64				addr;

	__s32				len;

	__u32				len;

	__u32				bgid;

	__u16				nbufs;

	__u16				bid;
@@ -3918,7 +3918,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags) 
static int io_provide_buffers_prep(struct io_kiocb *req,

				   const struct io_uring_sqe *sqe)

{

	unsigned long size;

	unsigned long size, tmp_check;

	struct io_provide_buf *p = &req->pbuf;

	u64 tmp;
@@ -3932,6 +3932,12 @@ static int io_provide_buffers_prep(struct io_kiocb *req, 
	p->addr = READ_ONCE(sqe->addr);

	p->len = READ_ONCE(sqe->len);



	if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,

				&size))

		return -EOVERFLOW;

	if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))

		return -EOVERFLOW;



	size = (unsigned long)p->len * p->nbufs;

	if (!access_ok(u64_to_user_ptr(p->addr), size))

		return -EFAULT;