| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8ed15a17-618f-4277-afc3-934939292060@kernel.dk>
Date: Wed, 27 Aug 2025 20:50:24 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Qingyue Zhang <chunzhennn@...com>
Cc: aftern00n@...com, io-uring@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] io_uring/kbuf: fix infinite loop in
io_kbuf_inc_commit()
On 8/27/25 8:49 PM, Qingyue Zhang wrote:
> On Wed, 27 Aug 2025 20:08:05 -0600, Jens Axboe wrote:
>> I don't think there's anything wrong with the looping and stopping at
>> the other end is of course a safe guard, but couldn't we just abort the
>> loop if we see a 0 sized buffer? At that point we know the buffer is
>> invalid, or the kernel is buggy, and it'd be saner to stop at that
>> point. Something ala:
>>
>>
>> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
>> index 394037d3f2f6..19a8bde5e1e1 100644
>> --- a/io_uring/kbuf.c
>> +++ b/io_uring/kbuf.c
>> @@ -42,7 +42,8 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
>> buf_len = READ_ONCE(buf->len);
>> this_len = min_t(u32, len, buf_len);
>> buf_len -= this_len;
>> - if (buf_len) {
>> + /* Stop looping for invalid buffer length of 0 */
>> + if (buf_len || !this_len) {
>> buf->addr += this_len;
>> buf->len = buf_len;
>> return false;
>
> Good idea, it looks nice to me.
I'll send it out, I amended the commit message a bit too.
--
Jens Axboe
Powered by blists - more mailing lists