Commit 0a3fa955 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman Committed by Kamal Mostafa

[stable-only] AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.
Reported-by: default avatarBen Hawkes <hawkes@google.com>
Acked-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
Tested-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent e6368d69
......@@ -1272,11 +1272,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
unsigned long *nr_segs,
struct iovec *iovec)
{
if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
size_t len = kiocb->ki_nbytes;
if (len > MAX_RW_COUNT)
len = MAX_RW_COUNT;
if (unlikely(!access_ok(!rw, buf, len)))
return -EFAULT;
iovec->iov_base = buf;
iovec->iov_len = kiocb->ki_nbytes;
iovec->iov_len = len;
*nr_segs = 1;
return 0;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment