lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 28 Apr 2023 11:29:40 +0100
From:   Tudor Cretu <tudor.cretu@....com>
To:     Jens Axboe <axboe@...nel.dk>, io-uring@...r.kernel.org
Cc:     asml.silence@...il.com, kevin.brodsky@....com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] io_uring/kbuf: Fix size for shared buffer ring



On 27-04-2023 19:42, Jens Axboe wrote:
> On 4/27/23 8:31 AM, Tudor Cretu wrote:
>> The size of the ring is the product of ring_entries and the size of
>> struct io_uring_buf. Using struct_size is equivalent to
>>    (ring_entries + 1) * sizeof(struct io_uring_buf)
>> and generates an off-by-one error. Fix it by using size_mul directly.
>>
>> Signed-off-by: Tudor Cretu <tudor.cretu@....com>
>> ---
>>   io_uring/kbuf.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
>> index 4a6401080c1f..9770757c89a0 100644
>> --- a/io_uring/kbuf.c
>> +++ b/io_uring/kbuf.c
>> @@ -505,7 +505,7 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
>>   	}
>>   
>>   	pages = io_pin_pages(reg.ring_addr,
>> -			     struct_size(br, bufs, reg.ring_entries),
>> +			     size_mul(sizeof(struct io_uring_buf), reg.ring_entries),
>>   			     &nr_pages);
>>   	if (IS_ERR(pages)) {
>>   		kfree(free_bl);
> 
> Looking into this again, and some bells ringing in the back of my head,
> we do have:
> 
> commit 48ba08374e779421ca34bd14b4834aae19fc3e6a
> Author: Wojciech Lukowicz <wlukowicz01@...il.com>
> Date:   Sat Feb 18 18:41:41 2023 +0000
> 
>      io_uring: fix size calculation when registering buf ring
> 
> which should have fixed that issue. What kernel version are you looking at?

Hi Jens,

Thank you for your message. Indeed I was looking at a slightly older 
version of the kernel. Apologies for the noise!

Kind regards,
Tudor

>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ