| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230427143142.3013020-1-tudor.cretu@arm.com>
Date: Thu, 27 Apr 2023 15:31:42 +0100
From: Tudor Cretu <tudor.cretu@....com>
To: io-uring@...r.kernel.org
Cc: =axboe@...nel.dk, asml.silence@...il.com, kevin.brodsky@....com,
linux-kernel@...r.kernel.org, Tudor Cretu <tudor.cretu@....com>
Subject: [PATCH] io_uring/kbuf: Fix size for shared buffer ring
The size of the ring is the product of ring_entries and the size of
struct io_uring_buf. Using struct_size is equivalent to
(ring_entries + 1) * sizeof(struct io_uring_buf)
and generates an off-by-one error. Fix it by using size_mul directly.
Signed-off-by: Tudor Cretu <tudor.cretu@....com>
---
io_uring/kbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 4a6401080c1f..9770757c89a0 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
}
pages = io_pin_pages(reg.ring_addr,
- struct_size(br, bufs, reg.ring_entries),
+ size_mul(sizeof(struct io_uring_buf), reg.ring_entries),
&nr_pages);
if (IS_ERR(pages)) {
kfree(free_bl);
--
2.34.1
Powered by blists - more mailing lists