[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Jul 2022 15:49:52 +0800
From: Ming Lei <ming.lei@...hat.com>
To: Gabriel Krisman Bertazi <krisman@...labora.com>
Cc: Jens Axboe <axboe@...nel.dk>, linux-block@...r.kernel.org,
Harris James R <james.r.harris@...el.com>,
linux-kernel@...r.kernel.org, io-uring@...r.kernel.org,
ZiyangZhang <ZiyangZhang@...ux.alibaba.com>,
Xiaoguang Wang <xiaoguang.wang@...ux.alibaba.com>,
Stefan Hajnoczi <stefanha@...hat.com>, ming.lei@...hat.com
Subject: Re: [PATCH V3 1/1] ublk: add io_uring based userspace block driver
On Tue, Jul 05, 2022 at 04:06:16PM +0800, Ming Lei wrote:
> On Mon, Jul 04, 2022 at 06:10:40PM -0400, Gabriel Krisman Bertazi wrote:
> > Ming Lei <ming.lei@...hat.com> writes:
...
>
> >
> >
> > > + __func__, cmd->cmd_op, ub_cmd->q_id, tag,
> > > + ub_cmd->result);
> > > +
> > > + if (!(issue_flags & IO_URING_F_SQE128))
> > > + goto out;
> > > +
> > > + ubq = ublk_get_queue(ub, ub_cmd->q_id);
> > > + if (!ubq || ub_cmd->q_id != ubq->q_id)
> >
> > q_id is coming from userspace and is used to access an array inside
> > ublk_get_queue(). I think you need to ensure qid < ub->dev_info.nr_hw_queues
> > before calling ublk_get_queue() to protect from a kernel bad memory
> > access triggered by userspace.
>
> Good catch!
Turns out the check on 'qid < ub->dev_info.nr_hw_queues' isn't needed,
since the condition of 'ub_cmd->q_id != ubq->q_id' is more strict.
Thanks,
Ming
Powered by blists - more mailing lists