| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8f4a4090-78ed-4cf1-bd73-7ae73fff8b90@kernel.dk>
Date: Wed, 27 Aug 2025 20:58:12 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Qingyue Zhang <chunzhennn@...com>
Cc: aftern00n@...com, io-uring@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] io_uring/kbuf: fix infinite loop in
io_kbuf_inc_commit()
On 8/27/25 8:50 PM, Jens Axboe wrote:
> On 8/27/25 8:49 PM, Qingyue Zhang wrote:
>> On Wed, 27 Aug 2025 20:08:05 -0600, Jens Axboe wrote:
>>> I don't think there's anything wrong with the looping and stopping at
>>> the other end is of course a safe guard, but couldn't we just abort the
>>> loop if we see a 0 sized buffer? At that point we know the buffer is
>>> invalid, or the kernel is buggy, and it'd be saner to stop at that
>>> point. Something ala:
>>>
>>>
>>> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
>>> index 394037d3f2f6..19a8bde5e1e1 100644
>>> --- a/io_uring/kbuf.c
>>> +++ b/io_uring/kbuf.c
>>> @@ -42,7 +42,8 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
>>> buf_len = READ_ONCE(buf->len);
>>> this_len = min_t(u32, len, buf_len);
>>> buf_len -= this_len;
>>> - if (buf_len) {
>>> + /* Stop looping for invalid buffer length of 0 */
>>> + if (buf_len || !this_len) {
>>> buf->addr += this_len;
>>> buf->len = buf_len;
>>> return false;
>>
>> Good idea, it looks nice to me.
>
> I'll send it out, I amended the commit message a bit too.
Oh, and let me know if you prefer any tags or whatever changed in that
patch.
Additionally, would you mind if I use your reproducer for a test case?
I turned it into the below. Will need a bit more to be a test case, but
it's pretty much there. Functionally it should be the same, it's just
using more idiomatic liburing rather than the lower level helpers.
And finally, thanks for the report and test case! Very useful.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <liburing.h>
#define BGID 0
#define RENTRIES 2
#define RMASK (RENTRIES - 1)
int main(int argc, char *argv[])
{
struct io_uring_buf_ring *br;
struct io_uring_sqe *sqe;
struct io_uring ring;
void *send_buf;
int ret, fds[2];
io_uring_queue_init(1, &ring, IORING_SETUP_NO_SQARRAY);
br = io_uring_setup_buf_ring(&ring, RENTRIES, BGID, IOU_PBUF_RING_INC, &ret);
if (!br) {
if (ret == -EINVAL)
return 77;
fprintf(stderr, "buf ring setup: %d\n", ret);
return 1;
}
/*
* Use the buffer ring itself as the provided buffer address. Once the
* recv completes, it will have zero filled the buffer addr/len.
*/
io_uring_buf_ring_add(br, br, 4096, 0, RMASK, 0);
io_uring_buf_ring_advance(br, 1);
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds) < 0) {
perror("socketpair");
return 1;
}
/*
* Send zeroes, overwriting the buffer ring
*/
send_buf = calloc(1, 32);
ret = send(fds[0], send_buf, 32, MSG_DONTWAIT);
if (ret < 0) {
perror("send");
return 1;
}
/*
* Do recv, picking the first buffer. When buffer is picked,
* it's still fully valid. By the time it needs to get committed,
* it will have invalid addr/len fields (all zeroes from the recv)
*/
sqe = io_uring_get_sqe(&ring);
io_uring_prep_recv_multishot(sqe, fds[1], NULL, 0, 0);
sqe->flags |= IOSQE_BUFFER_SELECT;
sqe->buf_index = BGID;
io_uring_submit_and_wait(&ring, 2);
io_uring_free_buf_ring(&ring, br, RENTRIES, BGID);
io_uring_queue_exit(&ring);
return 0;
}
--
Jens Axboe
Powered by blists - more mailing lists