Re: [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Dec 16, 2019 at 11:54:32AM +0100, Jan Kara wrote:
> We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
> ring_size load to a branch in iov_iter_alignment() where we've already
> checked the iter is a pipe to avoid bogus dereference.
> 
> Reported-by: syzbot+bea68382bae9490e7dd6@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
> Signed-off-by: Jan Kara <jack@xxxxxxx>
> ---
>  lib/iov_iter.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
>  Al, David, not sure who's going to merge this so sending to both :).

Applied, will push tonight.
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux