| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <173333042069.512655.8947541818653406492.b4-ty@kernel.dk>
Date: Wed, 04 Dec 2024 09:40:20 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Pavel Begunkov <asml.silence@...il.com>, io-uring@...r.kernel.org,
Colin Ian King <colin.i.king@...il.com>
Cc: kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH][next] io_uring/kbuf: fix unintentional sign extension
on shift of reg.bgid
On Wed, 04 Dec 2024 15:39:23 +0000, Colin Ian King wrote:
> Shifting reg.bgid << IORING_OFF_PBUF_SHIFT results in a promotion
> from __u16 to a 32 bit signed integer, this is then sign extended
> to a 64 bit unsigned long on 64 bit architectures. If reg.bgid is
> greater than 0x7fff then this leads to a sign extended result where
> all the upper 32 bits of mmap_offset are set to 1. Fix this by
> casting reg.bgid to the same type as mmap_offset before performing
> the shift.
>
> [...]
Applied, thanks!
[1/1] io_uring/kbuf: fix unintentional sign extension on shift of reg.bgid
commit: e54fb80b57e4534ae91e65ea14cc66b9f21b4b7a
Best regards,
--
Jens Axboe
Powered by blists - more mailing lists