| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260129224618.975401-1-csander@purestorage.com>
Date: Thu, 29 Jan 2026 15:46:13 -0700
From: Caleb Sander Mateos <csander@...estorage.com>
To: Ming Lei <ming.lei@...hat.com>,
Jens Axboe <axboe@...nel.dk>
Cc: Govindarajulu Varadarajan <govind.varadar@...il.com>,
linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org,
Caleb Sander Mateos <csander@...estorage.com>
Subject: [PATCH 0/4] ublk: fix struct ublksrv_ctrl_cmd accesses
struct ublksrv_ctrl_cmd is part of the io_uring_sqe. Since commit
87213b0d847c ("ublk: allow non-blocking ctrl cmds in IO_URING_F_NONBLOCK
issue") allowed some commands to be handled in the non-blocking issue,
the SQE may lie in userspace-mapped memory. Validate that the SQE size
is the expected 128 bytes before dereferencing it. Access the
ublksrv_ctrl_cmd fields with READ_ONCE(), as userspace may write to them
concurrently.
Caleb Sander Mateos (3):
ublk: don't write to struct ublksrv_ctrl_cmd
ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd
ublk: drop ublk_ctrl_{start,end}_recovery() header argument
Govindarajulu Varadarajan (1):
ublk: Validate SQE128 flag before accessing the cmd
drivers/block/ublk_drv.c | 163 +++++++++++++++++++--------------------
1 file changed, 80 insertions(+), 83 deletions(-)
--
2.45.2
Powered by blists - more mailing lists