Commit 50e96989 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: reg buffer overflow checks hardening 



We are safe with overflows in io_sqe_buffer_register() because it will
just yield alloc failure, but it's nicer to check explicitly.

Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/2b0625551be3d97b80a5fd21c8cd79dc1c91f0b5.1616624589.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 548d819d

fs/io_uring.c

+5 −0
Original line number Diff line number Diff line
@@ -8404,6 +8404,8 @@ static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args) 


static int io_buffer_validate(struct iovec *iov)

{

	unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);



	/*

	 * Don't impose further limits on the size and buffer

	 * constraints here, we'll -EINVAL later when IO is
@@ -8416,6 +8418,9 @@ static int io_buffer_validate(struct iovec *iov) 
	if (iov->iov_len > SZ_1G)

		return -EFAULT;



	if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))

		return -EOVERFLOW;



	return 0;

}