aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Begunkov <asml.silence@gmail.com>2025-11-07 18:41:26 +0000
committerJens Axboe <axboe@kernel.dk>2025-11-07 17:17:13 -0700
commit146eb58629f45f8297e83d69e64d4eea4b28d972 (patch)
tree535b9a688444edf6b4cba37695920c3370473d48
parent1fd5367391bf0eeb09e624c4ab45121b54eaab96 (diff)
downloadlinux-146eb58629f45f8297e83d69e64d4eea4b28d972.tar.gz
io_uring: fix regbuf vector size truncation
There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow "int"s used later. Rough but simple, can be improved on top. Cc: stable@vger.kernel.org Fixes: 9ef4cbbcb4ac3 ("io_uring: add infra for importing vectored reg buffers") Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-458654612@google.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: Günther Noack <gnoack@google.com> Tested-by: Günther Noack <gnoack@google.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat
-rw-r--r--io_uring/rsrc.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index d787c16dc1c3a2..2602d76d5ff0e5 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1403,8 +1403,11 @@ static int io_estimate_bvec_size(struct iovec *iov, unsigned nr_iovs,
size_t max_segs = 0;
unsigned i;
- for (i = 0; i < nr_iovs; i++)
+ for (i = 0; i < nr_iovs; i++) {
max_segs += (iov[i].iov_len >> shift) + 2;
+ if (max_segs > INT_MAX)
+ return -EOVERFLOW;
+ }
return max_segs;
}
@@ -1510,7 +1513,11 @@ int io_import_reg_vec(int ddir, struct iov_iter *iter,
if (unlikely(ret))
return ret;
} else {
- nr_segs = io_estimate_bvec_size(iov, nr_iovs, imu);
+ int ret = io_estimate_bvec_size(iov, nr_iovs, imu);
+
+ if (ret < 0)
+ return ret;
+ nr_segs = ret;
}
if (sizeof(struct bio_vec) > sizeof(struct iovec)) {
generated by cgit 1.2.3-korg (git 2.43.0) at 2025-11-20 02:53:40 +0000