io_uring: improve import_fixed overflow checks

author Pavel Begunkov <asml.silence@gmail.com>

Thu, 1 Apr 2021 14:43:54 +0000 (15:43 +0100)

committer Jens Axboe <axboe@kernel.dk>

Mon, 12 Apr 2021 01:30:34 +0000 (19:30 -0600)
author Pavel Begunkov <asml.silence@gmail.com>
Thu, 1 Apr 2021 14:43:54 +0000 (15:43 +0100)
committer Jens Axboe <axboe@kernel.dk>
Mon, 12 Apr 2021 01:30:34 +0000 (19:30 -0600)
diff --git a/fs/io_uring.c b/fs/io_uring.c

index f53d932..e6508b1 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2785,8 +2785,8 @@ static int io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter)
         size_t len = req->rw.len;
         struct io_mapped_ubuf *imu;
         u16 index, buf_index = req->buf_index;
+       u64 buf_end, buf_addr = req->rw.addr;
         size_t offset;
-       u64 buf_addr;
  
         if (unlikely(buf_index >= ctx->nr_user_bufs))
                 return -EFAULT;
@@ -2794,11 +2794,10 @@ static int io_import_fixed(struct io_kiocb *req, int rw, struct iov_iter *iter)
         imu = &ctx->user_bufs[index];
         buf_addr = req->rw.addr;
  
-       /* overflow */
-       if (buf_addr + len < buf_addr)
+       if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
                 return -EFAULT;
         /* not inside the mapped region */
-       if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
+       if (buf_addr < imu->ubuf || buf_end > imu->ubuf + imu->len)
                 return -EFAULT;
  
         /*
author	Pavel Begunkov <asml.silence@gmail.com>
	Thu, 1 Apr 2021 14:43:54 +0000 (15:43 +0100)
committer	Jens Axboe <axboe@kernel.dk>
	Mon, 12 Apr 2021 01:30:34 +0000 (19:30 -0600)