Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cb4644ca authored by Jens Axboe's avatar Jens Axboe
Browse files

bio: take care not overflow page count when mapping/copying user data 



If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
parent f3f63c1c

fs/bio.c

+13 −1
Original line number Diff line number Diff line
@@ -834,6 +834,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, 
		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;

		start = uaddr >> PAGE_SHIFT;



		/*

		 * Overflow, abort

		 */

		if (end < start)

			return ERR_PTR(-EINVAL);



		nr_pages += end - start;

		len += iov[i].iov_len;

	}
@@ -962,6 +968,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, 
		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;

		unsigned long start = uaddr >> PAGE_SHIFT;



		/*

		 * Overflow, abort

		 */

		if (end < start)

			return ERR_PTR(-EINVAL);



		nr_pages += end - start;

		/*

		 * buffer must be aligned to at least hardsector size for now