| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <03b13c8f-0f4c-0692-b2f0-e90d7877e327@kernel.dk>
Date: Thu, 27 Apr 2023 12:42:43 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Tudor Cretu <tudor.cretu@....com>, io-uring@...r.kernel.org
Cc: =axboe@...nel.dk, asml.silence@...il.com, kevin.brodsky@....com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] io_uring/kbuf: Fix size for shared buffer ring
On 4/27/23 8:31 AM, Tudor Cretu wrote:
> The size of the ring is the product of ring_entries and the size of
> struct io_uring_buf. Using struct_size is equivalent to
> (ring_entries + 1) * sizeof(struct io_uring_buf)
> and generates an off-by-one error. Fix it by using size_mul directly.
>
> Signed-off-by: Tudor Cretu <tudor.cretu@....com>
> ---
> io_uring/kbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index 4a6401080c1f..9770757c89a0 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
> }
>
> pages = io_pin_pages(reg.ring_addr,
> - struct_size(br, bufs, reg.ring_entries),
> + size_mul(sizeof(struct io_uring_buf), reg.ring_entries),
> &nr_pages);
> if (IS_ERR(pages)) {
> kfree(free_bl);
Looking into this again, and some bells ringing in the back of my head,
we do have:
commit 48ba08374e779421ca34bd14b4834aae19fc3e6a
Author: Wojciech Lukowicz <wlukowicz01@...il.com>
Date: Sat Feb 18 18:41:41 2023 +0000
io_uring: fix size calculation when registering buf ring
which should have fixed that issue. What kernel version are you looking at?
--
Jens Axboe
Powered by blists - more mailing lists