| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211129041537.1936270-1-yebin10@huawei.com>
Date: Mon, 29 Nov 2021 12:15:37 +0800
From: Ye Bin <yebin10@...wei.com>
To: <axboe@...nel.dk>, <asml.silence@...il.com>,
<io-uring@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: Ye Bin <yebin10@...wei.com>
Subject: [PATCH -next] io_uring: Fix undefined-behaviour in io_issue_sqe if pass large timeout value when call io_timeout_remove_prep
This patch fix another scene lead to the issue which
"io_uring: Fix undefined-behaviour in io_issue_sqe" commit descript.
Add check if timeout is legal which user space pass in when call
io_timeout_remove_prep to update timeout value.
Signed-off-by: Ye Bin <yebin10@...wei.com>
---
fs/io_uring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 39fd7372b324..de913334f22e 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6114,6 +6114,8 @@ static int io_timeout_remove_prep(struct io_kiocb *req,
return -EINVAL;
if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
return -EFAULT;
+ if (tr->ts.tv_sec < 0 || tr->ts.tv_nsec < 0)
+ return -EINVAL;
} else if (tr->flags) {
/* timeout removal doesn't support flags */
return -EINVAL;
--
2.31.1
Powered by blists - more mailing lists