lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230427143142.3013020-1-tudor.cretu@arm.com>
Date:   Thu, 27 Apr 2023 15:31:42 +0100
From:   Tudor Cretu <tudor.cretu@....com>
To:     io-uring@...r.kernel.org
Cc:     =axboe@...nel.dk, asml.silence@...il.com, kevin.brodsky@....com,
        linux-kernel@...r.kernel.org, Tudor Cretu <tudor.cretu@....com>
Subject: [PATCH] io_uring/kbuf: Fix size for shared buffer ring

The size of the ring is the product of ring_entries and the size of
struct io_uring_buf. Using struct_size is equivalent to
  (ring_entries + 1) * sizeof(struct io_uring_buf)
and generates an off-by-one error. Fix it by using size_mul directly.

Signed-off-by: Tudor Cretu <tudor.cretu@....com>
---
 io_uring/kbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 4a6401080c1f..9770757c89a0 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
 	}
 
 	pages = io_pin_pages(reg.ring_addr,
-			     struct_size(br, bufs, reg.ring_entries),
+			     size_mul(sizeof(struct io_uring_buf), reg.ring_entries),
 			     &nr_pages);
 	if (IS_ERR(pages)) {
 		kfree(free_bl);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ