Skip to content
Permalink
Browse files Browse the repository at this point in the history
AIO: properly check iovec sizes
In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
gregkh committed Feb 25, 2016
1 parent 509d000 commit c4f4b82
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions fs/aio.c
Expand Up @@ -1375,11 +1375,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
unsigned long *nr_segs,
struct iovec *iovec)
{
if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
size_t len = kiocb->ki_nbytes;

if (len > MAX_RW_COUNT)
len = MAX_RW_COUNT;

if (unlikely(!access_ok(!rw, buf, len)))
return -EFAULT;

iovec->iov_base = buf;
iovec->iov_len = kiocb->ki_nbytes;
iovec->iov_len = len;
*nr_segs = 1;
return 0;
}
Expand Down

0 comments on commit c4f4b82

Please sign in to comment.