Commit 2698377d authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman Committed by Jiri Slaby

AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.
Reported-by: default avatarBen Hawkes <hawkes@google.com>
Acked-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
Tested-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent 6bfc19b4
...@@ -1380,11 +1380,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb, ...@@ -1380,11 +1380,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
unsigned long *nr_segs, unsigned long *nr_segs,
struct iovec *iovec) struct iovec *iovec)
{ {
if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes))) size_t len = kiocb->ki_nbytes;
if (len > MAX_RW_COUNT)
len = MAX_RW_COUNT;
if (unlikely(!access_ok(!rw, buf, len)))
return -EFAULT; return -EFAULT;
iovec->iov_base = buf; iovec->iov_base = buf;
iovec->iov_len = kiocb->ki_nbytes; iovec->iov_len = len;
*nr_segs = 1; *nr_segs = 1;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment