Commit 57c463e4 authored Feb 19, 2016 by Greg Kroah-Hartman Committed by Gerrit - the friendly Code Review server Jul 21, 2016

AIO: properly check iovec sizes



In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Change-Id: Ie05a79ad7dafef2c737a3fbef556868742cb2bb2
Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: c4f4b82694fe48b02f7a881a1797131a6dad1364
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git


Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>

parent 558d13ea

fs/aio.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -1354,11 +1354,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb,
		unsigned long *nr_segs,
		struct iovec *iovec)
		{
		if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes)))
		size_t len = kiocb->ki_nbytes;

		if (len > MAX_RW_COUNT)
		len = MAX_RW_COUNT;

		if (unlikely(!access_ok(!rw, buf, len)))
		return -EFAULT;

		iovec->iov_base = buf;
		iovec->iov_len = kiocb->ki_nbytes;
		iovec->iov_len = len;
		*nr_segs = 1;
		return 0;
		}