Commit c4f4b826 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman

AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.
Reported-by: default avatarBen Hawkes <hawkes@google.com>
Acked-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
Tested-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 509d0000
...@@ -1375,11 +1375,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb, ...@@ -1375,11 +1375,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
unsigned long *nr_segs, unsigned long *nr_segs,
struct iovec *iovec) struct iovec *iovec)
{ {
if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes))) size_t len = kiocb->ki_nbytes;
if (len > MAX_RW_COUNT)
len = MAX_RW_COUNT;
if (unlikely(!access_ok(!rw, buf, len)))
return -EFAULT; return -EFAULT;
iovec->iov_base = buf; iovec->iov_base = buf;
iovec->iov_len = kiocb->ki_nbytes; iovec->iov_len = len;
*nr_segs = 1; *nr_segs = 1;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment