From: Colin Ian King <colin.king@canonical.com>
To: Pavel Begunkov <asml.silence@gmail.com>,
Jens Axboe <axboe@kernel.dk>,
io-uring@vger.kernel.org
Subject: Re: [PATCH] io_uring: fix provide_buffers sign extension
Date: Fri, 19 Mar 2021 10:39:53 +0000 [thread overview]
Message-ID: <280d0b86-1d49-2641-edc7-02de8bb01b92@canonical.com> (raw)
In-Reply-To: <763d7d4f-5264-2db0-ee17-1b10699c095b@gmail.com>
On 19/03/2021 10:34, Pavel Begunkov wrote:
> On 19/03/2021 10:31, Colin Ian King wrote:
>> On 19/03/2021 10:21, Pavel Begunkov wrote:
>>> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
>>> problems. Not a huge problem as it's only used for access_ok() and
>>> increases the checked length, but better to keep typing right.
>>>
>>> Reported-by: Colin Ian King <colin.king@canonical.com>
>>> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
>>> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
>>> ---
>>> fs/io_uring.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>> index c2489b463eb9..4f1c98502a09 100644
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
>>> static int io_provide_buffers_prep(struct io_kiocb *req,
>>> const struct io_uring_sqe *sqe)
>>> {
>>> + unsigned long size;
>>> struct io_provide_buf *p = &req->pbuf;
>>> u64 tmp;
>>>
>>> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
>>> p->addr = READ_ONCE(sqe->addr);
>>> p->len = READ_ONCE(sqe->len);
>>>
>>> - if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
>>> + size = (unsigned long)p->len * p->nbufs;
>>> + if (!access_ok(u64_to_user_ptr(p->addr), size))
>>> return -EFAULT;
>>>
>>> p->bgid = READ_ONCE(sqe->buf_group);
>>>
>>
>> Does it make sense to make size a u64 and cast to a u64 rather than
>> unsigned long?
>
> static inline int __access_ok(unsigned long addr, unsigned long size)
> {
> return 1;
> }
>
> Not sure. I was thinking about size_t, but ended up sticking
> to access_ok types.
>
Ah, yep. OK.
Reviewed-by: Colin Ian King <colin.king@canonical.com>
next prev parent reply other threads:[~2021-03-19 10:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 10:21 [PATCH] io_uring: fix provide_buffers sign extension Pavel Begunkov
2021-03-19 10:31 ` Colin Ian King
2021-03-19 10:34 ` Pavel Begunkov
2021-03-19 10:39 ` Colin Ian King [this message]
2021-03-22 1:47 ` Pavel Begunkov
2021-03-22 13:41 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=280d0b86-1d49-2641-edc7-02de8bb01b92@canonical.com \
--to=colin.king@canonical.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox