[v2,6/6] aio: sanitize the limit checking in io_submit(2)

Message ID	20180528175707.10926-6-viro@ZenIV.linux.org.uk (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> From: Al Viro <viro@ZenIV.linux.org.uk> To: linux-fsdevel@vger.kernel.org Cc: Christoph Hellwig <hch@lst.de> Subject: [PATCH v2 6/6] aio: sanitize the limit checking in io_submit(2) Date: Mon, 28 May 2018 18:57:07 +0100 Message-Id: <20180528175707.10926-6-viro@ZenIV.linux.org.uk> In-Reply-To: <20180528175707.10926-1-viro@ZenIV.linux.org.uk> References: <20180528175430.GC30522@ZenIV.linux.org.uk> <20180528175707.10926-1-viro@ZenIV.linux.org.uk> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk

Message ID

20180528175707.10926-6-viro@ZenIV.linux.org.uk (mailing list archive)

State

New, archived

Headers

From: Al Viro <viro@ZenIV.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: Christoph Hellwig <hch@lst.de>
Subject: [PATCH v2 6/6] aio: sanitize the limit checking in io_submit(2)
Date: Mon, 28 May 2018 18:57:07 +0100
Message-Id: <20180528175707.10926-6-viro@ZenIV.linux.org.uk>
In-Reply-To: <20180528175707.10926-1-viro@ZenIV.linux.org.uk>
References: <20180528175430.GC30522@ZenIV.linux.org.uk>
	<20180528175707.10926-1-viro@ZenIV.linux.org.uk>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Al Viro May 28, 2018, 5:57 p.m. UTC

From: Al Viro <viro@zeniv.linux.org.uk>

as it is, the logics in native io_submit(2) is "if asked for
more than LONG_MAX/sizeof(pointer) iocbs to submit, don't
bother with more than LONG_MAX/sizeof(pointer)" (i.e.
512M requests on 32bit and 1E requests on 64bit) while
compat io_submit(2) goes with "stop after the first
PAGE_SIZE/sizeof(pointer) iocbs", i.e. 1K or so.  Which is
	* inconsistent
	* *way* too much in native case
	* possibly too little in compat one
and
	* wrong anyway, since the natural point where we
ought to stop bothering is ctx->nr_events

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/aio.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

Comments

Christoph Hellwig May 29, 2018, 6:10 a.m. UTC | #1

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/fs/aio.c b/fs/aio.c
index f67b0847ecac..aa4071c98335 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1844,15 +1844,15 @@  SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
 	if (unlikely(nr < 0))
 		return -EINVAL;
 
-	if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
-		nr = LONG_MAX/sizeof(*iocbpp);
-
 	ctx = lookup_ioctx(ctx_id);
 	if (unlikely(!ctx)) {
 		pr_debug("EINVAL: invalid context id\n");
 		return -EINVAL;
 	}
 
+	if (nr > ctx->nr_events)
+		nr = ctx->nr_events;
+
 	blk_start_plug(&plug);
 	for (i = 0; i < nr; i++) {
 		struct iocb __user *user_iocb;
@@ -1873,8 +1873,6 @@  SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
 }
 
 #ifdef CONFIG_COMPAT
-#define MAX_AIO_SUBMITS 	(PAGE_SIZE/sizeof(struct iocb *))
-
 COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,
 		       int, nr, compat_uptr_t __user *, iocbpp)
 {
@@ -1886,9 +1884,6 @@  COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,
 	if (unlikely(nr < 0))
 		return -EINVAL;
 
-	if (nr > MAX_AIO_SUBMITS)
-		nr = MAX_AIO_SUBMITS;
-
 	ctx = lookup_ioctx(ctx_id);
 	if (unlikely(!ctx)) {
 		pr_debug("EINVAL: invalid context id\n");

[v2,6/6] aio: sanitize the limit checking in io_submit(2)

Commit Message

Comments

Patch