Skip to content

Commit c4f4b82

Browse files
committed
AIO: properly check iovec sizes
In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Reported-by: Ben Hawkes <hawkes@google.com> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 509d000 commit c4f4b82

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

Diff for: fs/aio.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -1375,11 +1375,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
13751375
unsigned long *nr_segs,
13761376
struct iovec *iovec)
13771377
{
1378-
if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
1378+
size_t len = kiocb->ki_nbytes;
1379+
1380+
if (len > MAX_RW_COUNT)
1381+
len = MAX_RW_COUNT;
1382+
1383+
if (unlikely(!access_ok(!rw, buf, len)))
13791384
return -EFAULT;
13801385

13811386
iovec->iov_base = buf;
1382-
iovec->iov_len = kiocb->ki_nbytes;
1387+
iovec->iov_len = len;
13831388
*nr_segs = 1;
13841389
return 0;
13851390
}

0 commit comments

Comments
 (0)