__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified.
Cc: stable@vger.kernel.org # 5.7 Signed-off-by: Pavel Begunkov asml.silence@gmail.com --- fs/io_uring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 1023f7b44cea..a2a7c65a77aa 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4499,7 +4499,8 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req, return -EFAULT; if (clen < 0) return -EINVAL; - sr->len = iomsg->iov[0].iov_len; + sr->len = clen; + iomsg->iov[0].iov_len = clen; iomsg->iov = NULL; } else { ret = __import_iovec(READ, (struct iovec __user *)uiov, len,
On 11/29/20 11:33 AM, Pavel Begunkov wrote:
__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified.
Applied, thanks.
On 30/11/2020 18:12, Jens Axboe wrote:
On 11/29/20 11:33 AM, Pavel Begunkov wrote:
__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified.
Applied, thanks.
Jens, apologies but where did it go? Can't find at git.kernel.dk
On 12/2/20 3:04 PM, Pavel Begunkov wrote:
On 30/11/2020 18:12, Jens Axboe wrote:
On 11/29/20 11:33 AM, Pavel Begunkov wrote:
__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified.
Applied, thanks.
Jens, apologies but where did it go? Can't find at git.kernel.dk
Looks like I forgot to push it out, but it did get applied to io_uring-5.10. My git box is having an issue right now, so can't even push it out... Will do so tomorrow morning.
On 02/12/2020 23:24, Jens Axboe wrote:
On 12/2/20 3:04 PM, Pavel Begunkov wrote:
On 30/11/2020 18:12, Jens Axboe wrote:
On 11/29/20 11:33 AM, Pavel Begunkov wrote:
__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov len but never assigns it to iov/fast_iov, leaving sr->len with garbage. Hopefully, following io_buffer_select() truncates it to the selected buffer size, but the value is still may be under what was specified.
Applied, thanks.
Jens, apologies but where did it go? Can't find at git.kernel.dk
Looks like I forgot to push it out, but it did get applied to io_uring-5.10. My git box is having an issue right now, so can't even push it out... Will do so tomorrow morning.
That's ok, just trying to keep track. Sorry for bothering
linux-stable-mirror@lists.linaro.org
-
Jens Axboe -
Pavel Begunkov