On 19/03/2021 10:21, Pavel Begunkov wrote:
> io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension
> problems. Not a huge problem as it's only used for access_ok() and
> increases the checked length, but better to keep typing right.
>
> Reported-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access")
> Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
> ---
> fs/io_uring.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index c2489b463eb9..4f1c98502a09 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -3978,6 +3978,7 @@ static int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
> static int io_provide_buffers_prep(struct io_kiocb *req,
> const struct io_uring_sqe *sqe)
> {
> + unsigned long size;
> struct io_provide_buf *p = &req->pbuf;
> u64 tmp;
>
> @@ -3991,7 +3992,8 @@ static int io_provide_buffers_prep(struct io_kiocb *req,
> p->addr = READ_ONCE(sqe->addr);
> p->len = READ_ONCE(sqe->len);
>
> - if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs)))
> + size = (unsigned long)p->len * p->nbufs;
> + if (!access_ok(u64_to_user_ptr(p->addr), size))
> return -EFAULT;
>
> p->bgid = READ_ONCE(sqe->buf_group);
>
Does it make sense to make size a u64 and cast to a u64 rather than
unsigned long?
