lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250426075310.6597-1-nj.shetty@samsung.com>
Date: Sat, 26 Apr 2025 13:23:10 +0530
From: Nitesh Shetty <nj.shetty@...sung.com>
To: Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton
	<akpm@...ux-foundation.org>
Cc: axboe@...nel.dk, gost.dev@...sung.com, nitheshshetty@...il.com, Nitesh
	Shetty <nj.shetty@...sung.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v2] iov_iter: Use iov_offset for length calculation in
 iov_iter_aligned_bvec

If iov_offset is non-zero, then we need to consider iov_offset in length
calculation, otherwise we might pass smaller IOs such as 512 bytes, in
below scenario[1].
This issue is reproducible using lib-uring test/fixed-seg.c application
with fixed buffer on a 512 LBA formatted device.
Fixes รข3639f96f24a121ec9f037981b81daf5a8d60a

[1]
At present we pass the alignment check,
for 512 LBA formatted devices, len_mask = 511
when IO is smaller, i->count = 512
has an offset, i->io_offset = 3584
with bvec values, bvec->bv_offset = 256, bvec->bv_len = 3840.
In short, the first 256 bytes are in the current page,
next 256 bytes are in the second page.
Ideally we expect to fail the IO.

Reviewed-by: Jens Axboe <axboe@...nel.dk>
Signed-off-by: Nitesh Shetty <nj.shetty@...sung.com>
---
 lib/iov_iter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index bc9391e55d57..9ce83ab71bac 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -820,7 +820,7 @@ static bool iov_iter_aligned_bvec(const struct iov_iter *i, unsigned addr_mask,
 	size_t size = i->count;
 
 	do {
-		size_t len = bvec->bv_len;
+		size_t len = bvec->bv_len - skip;
 
 		if (len > size)
 			len = size;

base-commit: 02ddfb981de88a2c15621115dd7be2431252c568
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ