]>
Commit | Line | Data |
---|---|---|
d39e6e6c GKH |
1 | From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001 |
2 | From: Jeff Moyer <jmoyer@redhat.com> | |
3 | Date: Fri, 10 Sep 2010 14:16:00 -0700 | |
4 | Subject: aio: check for multiplication overflow in do_io_submit | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | From: Jeff Moyer <jmoyer@redhat.com> | |
10 | ||
11 | commit 75e1c70fc31490ef8a373ea2a4bea2524099b478 upstream. | |
12 | ||
13 | Tavis Ormandy pointed out that do_io_submit does not do proper bounds | |
14 | checking on the passed-in iocb array: | |
15 | ||
16 | if (unlikely(nr < 0)) | |
17 | return -EINVAL; | |
18 | ||
19 | if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) | |
20 | return -EFAULT; ^^^^^^^^^^^^^^^^^^ | |
21 | ||
22 | The attached patch checks for overflow, and if it is detected, the | |
23 | number of iocbs submitted is scaled down to a number that will fit in | |
24 | the long. This is an ok thing to do, as sys_io_submit is documented as | |
25 | returning the number of iocbs submitted, so callers should handle a | |
26 | return value of less than the 'nr' argument passed in. | |
27 | ||
28 | Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> | |
29 | Signed-off-by: Jeff Moyer <jmoyer@redhat.com> | |
30 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
31 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
32 | ||
33 | --- | |
34 | fs/aio.c | 3 +++ | |
35 | 1 file changed, 3 insertions(+) | |
36 | ||
37 | --- a/fs/aio.c | |
38 | +++ b/fs/aio.c | |
39 | @@ -1667,6 +1667,9 @@ long do_io_submit(aio_context_t ctx_id, | |
40 | if (unlikely(nr < 0)) | |
41 | return -EINVAL; | |
42 | ||
43 | + if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) | |
44 | + nr = LONG_MAX/sizeof(*iocbpp); | |
45 | + | |
46 | if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) | |
47 | return -EFAULT; | |
48 |