From: Benjamin LaHaise <bcrl@kvack.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Jan Kara <jack@suse.cz>, Alexander Viro <viro@zeniv.linux.org.uk>,
linux-aio <linux-aio@kvack.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>
Subject: Re: int overflow in io_getevents
Date: Thu, 7 Jan 2016 10:52:34 -0500 [thread overview]
Message-ID: <20160107155234.GM4439@kvack.org> (raw)
In-Reply-To: <CACT4Y+bD6NXGf6Ry+9rP5mKWbQ1sWb2O-+8HuyRmiK+-gVJTtg@mail.gmail.com>
On Thu, Jan 07, 2016 at 04:37:43PM +0100, Dmitry Vyukov wrote:
> pass ts to the function
Yeah, I should have had my morning coffee before hitting send. Updated
below, and hopefully final. Checked with a test program to confirm that
the huge value of seconds in timespec correctly waits, and that negative
or other invalid values fail with EINVAL (download from
http://www.kvack.org/~bcrl/aio-io_getevents-timespec.c ).
-ben
--
"Thought is the essence of where you are now."
commit 49b78150bc5762c58cfb8b19a859c354cf1a71ac
Author: Benjamin LaHaise <bcrl@kvack.org>
Date: Thu Jan 7 10:37:58 2016 -0500
aio: handle integer overflow in io_getevents() timespec usage
Dmitry Vyukov reported an integer overflow in io_getevents() when
running a fuzzer. Upon investigation, the triggers appears to be that
an invalid value for the tv_sec or tv_nsec was passed in which is not
handled by timespec_to_ktime(). This patch fixes that by making
io_getevents() return -EINVAL when timespec_valid() checks fail. We
use timespec_valid() instead of timespec_valid_strict() to avoid issues
caused by userspace not knowing the cutoff for KTIME_SEC_MAX.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
diff --git a/fs/aio.c b/fs/aio.c
index 155f842..e0d5398 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1269,6 +1269,8 @@ static long read_events(struct kioctx *ctx, long min_nr, long nr,
if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
return -EFAULT;
+ if (!timespec_valid(&ts))
+ return -EINVAL;
until = timespec_to_ktime(ts);
}
next prev parent reply other threads:[~2016-01-07 15:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-07 10:27 int overflow in io_getevents Dmitry Vyukov
2015-12-16 12:56 ` Jan Kara
2015-12-16 18:38 ` Dmitry Vyukov
2015-12-18 8:15 ` Jan Kara
2016-01-06 18:01 ` Benjamin LaHaise
2016-01-07 9:12 ` Dmitry Vyukov
2016-01-07 15:31 ` Benjamin LaHaise
2016-01-07 15:37 ` Dmitry Vyukov
2016-01-07 15:52 ` Benjamin LaHaise [this message]
2016-01-07 16:27 ` Dmitry Vyukov
2016-10-26 11:44 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160107155234.GM4439@kvack.org \
--to=bcrl@kvack.org \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=jack@suse.cz \
--cc=kcc@google.com \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.