From: Tom Ryan <ryan36005@gmail.com>
To: io-uring@vger.kernel.org
Cc: axboe@kernel.dk, gregkh@linuxfoundation.org, kbusch@kernel.org,
csander@purestorage.com, Tom Ryan <ryan36005@gmail.com>
Subject: [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
Date: Mon, 9 Mar 2026 22:20:02 -0700 [thread overview]
Message-ID: <20260310052003.72871-1-ryan36005@gmail.com> (raw)
In-Reply-To: <aa9Bjbplx3b_Uvmj@kbusch-mbp>
When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,
the boundary check for 128-byte SQE operations in io_init_req()
validated the logical SQ head position rather than the physical SQE
index.
The existing check:
!(ctx->cached_sq_head & (ctx->sq_entries - 1))
ensures the logical position isn't at the end of the ring, which is
correct for NO_SQARRAY rings where physical == logical. However, when
sq_array is present, an unprivileged user can remap any logical
position to an arbitrary physical index via sq_array. Setting
sq_array[N] = sq_entries - 1 places a 128-byte operation at the last
physical SQE slot, causing the 128-byte memcpy in
io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE
array.
Replace the cached_sq_head alignment check with a direct validation
of the physical SQE index, which correctly handles both sq_array and
NO_SQARRAY cases.
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Signed-off-by: Tom Ryan <ryan36005@gmail.com>
---
v1 -> v2:
- Replace the cached_sq_head alignment check rather than adding a
separate check, per Caleb Sander Mateos' observation that the new
physical index validation subsumes the old logical check for both
sq_array and NO_SQARRAY cases
- Fold into existing conditional per Keith Busch
- liburing test sent separately
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index aa9570316..d9a307384 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1745,7 +1745,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
* well as 2 contiguous entries.
*/
if (!(ctx->flags & IORING_SETUP_SQE_MIXED) || *left < 2 ||
- !(ctx->cached_sq_head & (ctx->sq_entries - 1)))
+ (unsigned)(sqe - ctx->sq_sqes) >= ctx->sq_entries - 1)
return io_init_fail_req(req, -EINVAL);
/*
* A 128b operation on a mixed SQ uses two entries, so we have
--
2.50.1 (Apple Git-155)
next prev parent reply other threads:[~2026-03-10 5:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 21:20 io_uring: OOB read in SQE_MIXED mode via sq_array physical index bypass Tom Ryan
2026-03-09 21:29 ` Keith Busch
2026-03-09 21:45 ` Caleb Sander Mateos
2026-03-09 21:54 ` Keith Busch
2026-03-10 5:20 ` Tom Ryan [this message]
2026-03-10 5:20 ` [PATCH liburing] test/sqe-mixed-boundary: validate physical SQE index for 128-byte ops Tom Ryan
2026-03-10 13:01 ` Jens Axboe
2026-03-10 14:44 ` [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED " Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310052003.72871-1-ryan36005@gmail.com \
--to=ryan36005@gmail.com \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=gregkh@linuxfoundation.org \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.