Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4642590pxj; Wed, 12 May 2021 09:54:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkbBOB3xgVO+nbbfwtzc2MTex7qldIxju/ZNSe/TdwGajQx0eUVlKzYNeL+f0ULq23SiMF X-Received: by 2002:a17:906:9381:: with SMTP id l1mr38156896ejx.45.1620838460406; Wed, 12 May 2021 09:54:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620838460; cv=none; d=google.com; s=arc-20160816; b=qOLW2mgnAeNlcbykU2cWkTOHpz9iv2+lUjbTa/2MJ6VmCFf+8Uniq5MFEOFuSfzWT9 ySbUJfkfc25biZaNvhQ9fmxipxIpJwB+lEo02AS5C8vLLuJ2SWoclHrYBDGhD9S7C0/L puXMUPnfHcVEzZw54gpoaHBjbmP4AKnsjI+ls8ZQ3vQfNZt1EFXsiVZKmpUNfhhPPcKo ivyDSdUPfM6z+hQeweu0crim7d18vW/43U+3HlcelOiHSFWZdBCsPRlYFnjE5frGnseF Du1k7XmE8014t7ebdRGs9qo/nsFy9qTTvLKhYL2QgXR+e0rhG6Ri6N+3acWQqZUJseG9 2KRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FhZGSUtmlLEReShTtMn/cLnAn72vUKO8+OJ7YYB/jqo=; b=Oo6bMam645ZhOeptXHXN1xpcT2Iypkooflvh+SXflKvYhbuz+23WlB1hN1CcXkntfj MKQiSdLiy88tXWb88W0J0GtK5LYtuNA9DyGF6uuvvzy4fv1fWmmg5QzgFzS5yyJKCn1Y ppye373iq/f+9k0X9uTruFu0HFdebdjKKKbaSqK7MAOYvXRCZ3WIxFCo9lNiDOzjY7W3 GI8rium6xdBIZTDTSxg8VLVG7hJ1i4MEmGAdQh80PguzWgpOsHV4pD6qTnXHxT+09e8d 2TFzHmACp+toD7E2F8Ops3bh4WRpAn3TJC2BMgwYIY1v+T/1RfSWR4bfcDFi3LYoaz1w nTKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gzb1Uefp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s6si443950ejc.744.2021.05.12.09.53.55; Wed, 12 May 2021 09:54:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gzb1Uefp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244613AbhELQuz (ORCPT + 99 others); Wed, 12 May 2021 12:50:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:51030 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235405AbhELPtb (ORCPT ); Wed, 12 May 2021 11:49:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 54FBE619C8; Wed, 12 May 2021 15:25:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620833127; bh=szq5GQ7Ee/QQCsfxAcC3LIQckkDmbGnsAIIe5Uonr3w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gzb1Uefp8a1dive0e+s5m+ZuFhbp5aSf9mQ/eLqsT24xUHsuJ7SsZdsWVBOBVumHU E+rpCf/NlmoLkKQjRwSLRYTFJ49sdp08OA6rxNW0AF7tdUthyEhNuNmnZ2hTnYTXiz os73a3B6OMR0lnCY9KCCR0pHdPr2KNnRut74YT78= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Jens Axboe Subject: [PATCH 5.11 004/601] io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers Date: Wed, 12 May 2021 16:41:21 +0200 Message-Id: <20210512144827.969061914@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144827.811958675@linuxfoundation.org> References: <20210512144827.811958675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thadeu Lima de Souza Cascardo commit d1f82808877bb10d3deee7cf3374a4eb3fb582db upstream. Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS. Truncate those lengths when doing io_add_buffers, so buffer addresses still use the uncapped length. Also, take the chance and change struct io_buffer len member to __u32, so it matches struct io_provide_buffer len member. This fixes CVE-2021-3491, also reported as ZDI-CAN-13546. Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") Reported-by: Billy Jheng Bing-Jhong (@st424204) Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- fs/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -222,7 +222,7 @@ struct fixed_file_data { struct io_buffer { struct list_head list; __u64 addr; - __s32 len; + __u32 len; __u16 bid; }; @@ -4252,7 +4252,7 @@ static int io_add_buffers(struct io_prov break; buf->addr = addr; - buf->len = pbuf->len; + buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT); buf->bid = bid; addr += pbuf->len; bid++;