[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch

From cb4644cac4a2797afc847e6c92736664d4b0ea34 Mon Sep 17 00:00:00 2001
From: Jens Axboe <jaxboe@fusionio.com>
Date: Wed, 10 Nov 2010 14:36:25 +0100
Subject: bio: take care not overflow page count when mapping/copying user data

From: Jens Axboe <jaxboe@fusionio.com>

commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/bio.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/fs/bio.c
+++ b/fs/bio.c
@@ -834,6 +834,12 @@ struct bio *bio_copy_user_iov(struct req
 		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
 		start = uaddr >> PAGE_SHIFT;
 
+		/*
+		 * Overflow, abort
+		 */
+		if (end < start)
+			return ERR_PTR(-EINVAL);
+
 		nr_pages += end - start;
 		len += iov[i].iov_len;
 	}
@@ -962,6 +968,12 @@ static struct bio *__bio_map_user_iov(st
 		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
 		unsigned long start = uaddr >> PAGE_SHIFT;
 
+		/*
+		 * Overflow, abort
+		 */
+		if (end < start)
+			return ERR_PTR(-EINVAL);
+
 		nr_pages += end - start;
 		/*
 		 * buffer must be aligned to at least hardsector size for now
@@ -989,7 +1001,7 @@ static struct bio *__bio_map_user_iov(st
 		unsigned long start = uaddr >> PAGE_SHIFT;
 		const int local_nr_pages = end - start;
 		const int page_limit = cur_page + local_nr_pages;
-		
+
 		ret = get_user_pages_fast(uaddr, local_nr_pages,
 				write_to_vm, &pages[cur_page]);
 		if (ret < local_nr_pages) {
Commit	Line	Data
d86d85d9 GKH	1	From cb4644cac4a2797afc847e6c92736664d4b0ea34 Mon Sep 17 00:00:00 2001
	2	From: Jens Axboe <jaxboe@fusionio.com>
	3	Date: Wed, 10 Nov 2010 14:36:25 +0100
	4	Subject: bio: take care not overflow page count when mapping/copying user data
	5
	6	From: Jens Axboe <jaxboe@fusionio.com>
	7
	8	commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
	9
	10	If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
	11	to overflow, we could end up attempting to map a huge number of
	12	pages. Check for this invalid input type.
	13
	14	Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
	15	Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
	16	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	17
	18	---
	19	fs/bio.c \| 14 +++++++++++++-
	20	1 file changed, 13 insertions(+), 1 deletion(-)
	21
	22	--- a/fs/bio.c
	23	+++ b/fs/bio.c
	24	@@ -834,6 +834,12 @@ struct bio *bio_copy_user_iov(struct req
	25	end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
	26	start = uaddr >> PAGE_SHIFT;
	27
	28	+ /*
	29	+ * Overflow, abort
	30	+ */
	31	+ if (end < start)
	32	+ return ERR_PTR(-EINVAL);
	33	+
	34	nr_pages += end - start;
	35	len += iov[i].iov_len;
	36	}
	37	@@ -962,6 +968,12 @@ static struct bio *__bio_map_user_iov(st
	38	unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
	39	unsigned long start = uaddr >> PAGE_SHIFT;
	40
	41	+ /*
	42	+ * Overflow, abort
	43	+ */
	44	+ if (end < start)
	45	+ return ERR_PTR(-EINVAL);
	46	+
	47	nr_pages += end - start;
	48	/*
	49	* buffer must be aligned to at least hardsector size for now
	50	@@ -989,7 +1001,7 @@ static struct bio *__bio_map_user_iov(st
	51	unsigned long start = uaddr >> PAGE_SHIFT;
	52	const int local_nr_pages = end - start;
	53	const int page_limit = cur_page + local_nr_pages;
	54	-
	55	+
	56	ret = get_user_pages_fast(uaddr, local_nr_pages,
	57	write_to_vm, &pages[cur_page]);
	58	if (ret < local_nr_pages) {