io_uring/cancel: validate opcode for IORING_ASYNC_CANCEL_OP

io_async_cancel_prep() reads the opcode selector from sqe->len and
stores it in cancel->opcode, which is an 8-bit field. Since sqe->len
is a 32-bit value, values larger than U8_MAX are implicitly truncated.

This can cause unintended opcode matches when the truncated value
corresponds to a valid io_uring opcode. For example, submitting a value
such as 0x10b will be truncated to 0x0b (IORING_OP_TIMEOUT), allowing a
cancel request to match operations it did not intend to target.
Validate the opcode value before assigning it to the 8-bit field and
reject values outside the valid io_uring opcode range.

Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Link: https://patch.msgid.link/20260331232113.615972-1-a.jahangirzad@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/cancel.c b/io_uring/cancel.c
index 65e04063e343b01d4442d6f6f179acdd4f4d6f7e..5e5eb9cfc7cd6f1197a75312399cb3611d3044e2 100644 (file)
--- a/io_uring/cancel.c
+++ b/io_uring/cancel.c
@@ -156,9 +156,16 @@ int io_async_cancel_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
                cancel->fd = READ_ONCE(sqe->fd);
        }
        if (cancel->flags & IORING_ASYNC_CANCEL_OP) {
+               u32 op;
+
                if (cancel->flags & IORING_ASYNC_CANCEL_ANY)
                        return -EINVAL;
-               cancel->opcode = READ_ONCE(sqe->len);
+
+               op = READ_ONCE(sqe->len);
+               if (op >= IORING_OP_LAST)
+                       return -EINVAL;
+
+               cancel->opcode = op;
        }
 
        return 0;