| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com>
Date: Wed, 27 Aug 2025 19:43:39 +0800
From: Qingyue Zhang <chunzhennn@...com>
To: axboe@...nel.dk
Cc: io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org,
Qingyue Zhang <chunzhennn@...com>,
Suoxing Zhang <aftern00n@...com>
Subject: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This
can lead to unexpected behavior if buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
Co-developed-by: Suoxing Zhang <aftern00n@...com>
Signed-off-by: Suoxing Zhang <aftern00n@...com>
Signed-off-by: Qingyue Zhang <chunzhennn@...com>
---
io_uring/kbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
u32 this_len;
buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
- this_len = min_t(int, len, buf->len);
+ this_len = min_t(u32, len, buf->len);
buf->len -= this_len;
if (buf->len) {
buf->addr += this_len;
--
2.48.1
Powered by blists - more mailing lists