+ fix-access_ok-checks.patch added to -mm tree

akpm@xxxxxxxx · Thu, 01 Feb 2007 15:04:38 -0800

The patch titled
     aio: fix access_ok() checks
has been added to the -mm tree.  Its filename is
     fix-access_ok-checks.patch

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: aio: fix access_ok() checks
From: Sébastien Dugué <sebastien.dugue@xxxxxxxx>

sys_io_submit() and compat_sys_io_submit() check for the number of requests
(nr) being positive, but the following access_ok() call uses nr * sizeof(ptr)
which can overlow to a negative number.

Just make sure that nr * sizeof(ptr) is positive in the first place.

Signed-off-by: Sébastien Dugué <sebastien.dugue@xxxxxxxx>
Cc: Bharata B Rao <bharata@xxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Cc: Suparna Bhattacharya <suparna@xxxxxxxxxx>
Cc: Zach Brown <zach.brown@xxxxxxxxxx>
Cc: Oleg Nesterov <oleg@xxxxxxxxxx>
Cc: Badari Pulavarty <pbadari@xxxxxxxxxx>
Cc: Benjamin LaHaise <bcrl@xxxxxxxxxxxxxxx>
Cc: Jean Pierre Dion <jean-pierre.dion@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 fs/aio.c    |    2 +-
 fs/compat.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff -puN fs/aio.c~fix-access_ok-checks fs/aio.c

--- a/fs/aio.c~fix-access_ok-checks
+++ a/fs/aio.c
@@ -1630,7 +1630,7 @@ asmlinkage long sys_io_submit(aio_contex
 	long ret = 0;
 	int i;
 
-	if (unlikely(nr < 0))
+	if (unlikely((nr*sizeof(*iocbpp)) < 0))
 		return -EINVAL;
 
 	if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
diff -puN fs/compat.c~fix-access_ok-checks fs/compat.c
--- a/fs/compat.c~fix-access_ok-checks
+++ a/fs/compat.c
@@ -651,7 +651,7 @@ compat_sys_io_submit(aio_context_t ctx_i
 	long ret = 0;
 	int i;
 
-	if (unlikely(nr < 0))
+	if (unlikely((nr * sizeof(u32)) < 0))
 		return -EINVAL;
 
 	if (unlikely(!access_ok(VERIFY_READ, iocb, (nr * sizeof(u32)))))
_

Patches currently in -mm which might be from sebastien.dugue@xxxxxxxx are

rework-compat_sys_io_submit.patch
fix-aioh-includes.patch
fix-access_ok-checks.patch
make-good_sigevent-non-static.patch
make-__sigqueue_free-and.patch
aio-completion-signal-notification.patch
add-listio-syscall-support.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




