| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e72cdd44-c027-e51c-8b57-24f39bf21d87@kernel.dk>
Date: Thu, 28 Oct 2021 15:40:09 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Eric Dumazet <eric.dumazet@...il.com>,
Hao Xu <haoxu@...ux.alibaba.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [BUG] About "io_uring: add more uring info to fdinfo for debug"
On 10/28/21 3:24 PM, Eric Dumazet wrote:
> Hi
>
> I was looking at commit 83f84356bc8f2d
> ("io_uring: add more uring info to fdinfo for debug") after receiving
> syzbot reports.
>
> I suspect that the following :
>
> + for (i = cached_sq_head; i < sq_tail; i++) {
> + unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
> +
> + if (likely(sq_idx <= sq_mask)) {
> + struct io_uring_sqe *sqe = &ctx->sq_sqes[sq_idx];
> +
> + seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
> + sq_idx, sqe->opcode, sqe->fd, sqe->flags, sqe->user_data);
> + }
> + }
>
>
> Can loop around ~2^32 times if sq_tail is close to ~0U
>
> I see various READ_ONCE(), which are probably not good enough.
>
> At very minimum I would handling wrapping...
Thanks for reporting this. I think on top of wrapping, the loop should
just be capped at sq_entries as well. There's no point dumping more than
that, ever.
I'll take a stab at this.
--
Jens Axboe
Powered by blists - more mailing lists