Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759164AbcCVKru (ORCPT ); Tue, 22 Mar 2016 06:47:50 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:57029 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758632AbcCVKnQ (ORCPT ); Tue, 22 Mar 2016 06:43:16 -0400 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: Greg Kroah-Hartman , Moritz Muehlenhoff , Luis Henriques Subject: [PATCH 3.16.y-ckt 132/142] AIO: properly check iovec sizes Date: Tue, 22 Mar 2016 10:41:01 +0000 Message-Id: <1458643271-4227-133-git-send-email-luis.henriques@canonical.com> In-Reply-To: <1458643271-4227-1-git-send-email-luis.henriques@canonical.com> References: <1458643271-4227-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.16 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1403 Lines: 46 3.16.7-ckt26 -stable review patch. If anyone has any objections, please let me know. ---8<------------------------------------------------------------ From: Greg Kroah-Hartman In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Reported-by: Ben Hawkes Acked-by: Benjamin LaHaise Tested-by: Willy Tarreau Signed-off-by: Greg Kroah-Hartman Cc: Moritz Muehlenhoff Signed-off-by: Luis Henriques --- fs/aio.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index a6f86dae34be..7aaa4164bba5 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1378,11 +1378,16 @@ static ssize_t aio_setup_single_vector(struct kiocb *kiocb, unsigned long *nr_segs, struct iovec *iovec) { - if (unlikely(!access_ok(!rw, buf, kiocb->ki_nbytes))) + size_t len = kiocb->ki_nbytes; + + if (len > MAX_RW_COUNT) + len = MAX_RW_COUNT; + + if (unlikely(!access_ok(!rw, buf, len))) return -EFAULT; iovec->iov_base = buf; - iovec->iov_len = kiocb->ki_nbytes; + iovec->iov_len = len; *nr_segs = 1; return 0; }