| Message ID | f9c2c75ec4d356a0c61289073f68d98e8a9db190.1743446271.git.asml.silence@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [1/1] io_uring/rsrc: check size when importing reg buffer | expand |
On Mon, 31 Mar 2025 19:40:21 +0100, Pavel Begunkov wrote: > We're relying on callers to verify the IO size, do it inside of > io_import_fixed() instead. It's safer, easier to deal with, and more > consistent as now it's done close to the iter init site. > > Applied, thanks! [1/1] io_uring/rsrc: check size when importing reg buffer commit: a1fbe0a12178a006b04a7fa528457f9901d6c6d0 Best regards,
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 607b09bd8374..6a449d108234 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -1016,6 +1016,8 @@ static int io_import_fixed(int ddir, struct iov_iter *iter, /* not inside the mapped region */ if (unlikely(buf_addr < imu->ubuf || buf_end > (imu->ubuf + imu->len))) return -EFAULT; + if (unlikely(len > MAX_RW_COUNT)) + return -EFAULT; if (!(imu->dir & (1 << ddir))) return -EFAULT;
We're relying on callers to verify the IO size, do it inside of io_import_fixed() instead. It's safer, easier to deal with, and more consistent as now it's done close to the iter init site. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> --- io_uring/rsrc.c | 2 ++ 1 file changed, 2 insertions(+)