io_uring: reg buffer overflow checks hardening

We are safe with overflows in io_sqe_buffer_register() because it will just yield alloc failure, but it's nicer to check explicitly. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/2b0625551be3d97b80a5fd21c8cd79dc1c91f0b5.1616624589.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2021-03-24 22:59:01 +0000
committer: Jens Axboe <axboe@kernel.dk> 2021-04-11 17:42:00 -0600
commit: 50e96989d736b8e5623059815247be01ca6713c1 (patch)
tree: 06c95005b9bb4209e110cb1c2e506f1cdc79be02 /fs/io_uring.c
parent: 548d819d1eed7b6bf86d36c8de2fbc54b69db571 (diff)
download: lwn-50e96989d736b8e5623059815247be01ca6713c1.tar.gz
lwn-50e96989d736b8e5623059815247be01ca6713c1.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 852f9e908904..2be6f3f9578f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8404,6 +8404,8 @@ static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
 
 static int io_buffer_validate(struct iovec *iov)
 {
+	unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
+
 	/*
 	 * Don't impose further limits on the size and buffer
 	 * constraints here, we'll -EINVAL later when IO is
@@ -8416,6 +8418,9 @@ static int io_buffer_validate(struct iovec *iov)
 	if (iov->iov_len > SZ_1G)
 		return -EFAULT;
 
+	if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
+		return -EOVERFLOW;
+
 	return 0;
 }
author	Pavel Begunkov <asml.silence@gmail.com>	2021-03-24 22:59:01 +0000
committer	Jens Axboe <axboe@kernel.dk>	2021-04-11 17:42:00 -0600
commit	50e96989d736b8e5623059815247be01ca6713c1 (patch)
tree	06c95005b9bb4209e110cb1c2e506f1cdc79be02 /fs/io_uring.c
parent	548d819d1eed7b6bf86d36c8de2fbc54b69db571 (diff)
download	lwn-50e96989d736b8e5623059815247be01ca6713c1.tar.gz lwn-50e96989d736b8e5623059815247be01ca6713c1.zip