diff options
Diffstat (limited to 'aio-check-for-multiplication-overflow-in-do_io_submit.patch')
-rw-r--r-- | aio-check-for-multiplication-overflow-in-do_io_submit.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch new file mode 100644 index 0000000..36b949c --- /dev/null +++ b/aio-check-for-multiplication-overflow-in-do_io_submit.patch @@ -0,0 +1,47 @@ +From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001 +From: Jeff Moyer <jmoyer@redhat.com> +Date: Fri, 10 Sep 2010 14:16:00 -0700 +Subject: [PATCH] aio: check for multiplication overflow in do_io_submit +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Tavis Ormandy pointed out that do_io_submit does not do proper bounds +checking on the passed-in iocb array: + +Â Â Â Â if (unlikely(nr < 0)) +Â Â Â Â Â Â Â Â return -EINVAL; + +Â Â Â Â if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) +Â Â Â Â Â Â Â Â return -EFAULT; Â Â Â Â Â Â Â Â Â Â Â ^^^^^^^^^^^^^^^^^^ + +The attached patch checks for overflow, and if it is detected, the +number of iocbs submitted is scaled down to a number that will fit in +the long. Â This is an ok thing to do, as sys_io_submit is documented as +returning the number of iocbs submitted, so callers should handle a +return value of less than the 'nr' argument passed in. + +Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com> +Signed-off-by: Jeff Moyer <jmoyer@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/aio.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/fs/aio.c b/fs/aio.c +index 3006b5b..1320b2a 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr, + if (unlikely(nr < 0)) + return -EINVAL; + ++ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) ++ nr = LONG_MAX/sizeof(*iocbpp); ++ + if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) + return -EFAULT; + +-- +1.7.2.3 + |