Message ID | 20210920133342.13917-2-cascardo@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | CVE-2021-41073 | expand |
On 20.09.21 15:33, Thadeu Lima de Souza Cascardo wrote: > From: Jens Axboe <axboe@kernel.dk> > > When setting up the next segment, we check what type the iter is and > handle it accordingly. However, when incrementing and processed amount > we do not, and both iter advance and addr/len are adjusted, regardless > of type. Split the increment side just like we do on the setup side. > > Fixes: 4017eb91a9e7 ("io_uring: make loop_rw_iter() use original user supplied pointers") > Cc: stable@vger.kernel.org > Reported-by: Valentina Palmiotti <vpalmiotti@gmail.com> > Reviewed-by: Pavel Begunkov <asml.silence@gmail.com> > Signed-off-by: Jens Axboe <axboe@kernel.dk> > (cherry picked from commit 16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc) > CVE-2021-41073 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/io_uring.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index e1e1acc4be15..b4e9b68fe196 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -3309,12 +3309,15 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter) > ret = nr; > break; > } > + if (!iov_iter_is_bvec(iter)) { > + iov_iter_advance(iter, nr); > + } else { > + req->rw.len -= nr; > + req->rw.addr += nr; > + } > ret += nr; > if (nr != iovec.iov_len) > break; > - req->rw.len -= nr; > - req->rw.addr += nr; > - iov_iter_advance(iter, nr); > } > > return ret; >
diff --git a/fs/io_uring.c b/fs/io_uring.c index e1e1acc4be15..b4e9b68fe196 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3309,12 +3309,15 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter) ret = nr; break; } + if (!iov_iter_is_bvec(iter)) { + iov_iter_advance(iter, nr); + } else { + req->rw.len -= nr; + req->rw.addr += nr; + } ret += nr; if (nr != iovec.iov_len) break; - req->rw.len -= nr; - req->rw.addr += nr; - iov_iter_advance(iter, nr); } return ret;