Usage of get_user_pages() in fs/aio.c

Usage of get_user_pages() in fs/aio.c

[Ingo Oeser]

Hi Ben,

in kernel 2.5.46 in file fs/aio.c line 150 you use
get_user_pages() in a way that makes no sense to me.

Your call is:

info->nr_pages = get_user_pages(current, ctx->mm,
                                  info->mmap_base, info->mmap_size, 
                                  1, 0, info->ring_pages, NULL);

info->mmap_size contains the number of BYTES mapped by the pages
in the ring_pages ARRAY.

get_user_pages() expects the number of ELEMENTS in the array
instead.

What this can cause is clear ;-)

Simple fix would be to replace "info->mmap_size" with "nr_pages",
that you compute just some lines above.

Please tell me, if I'm wrong here.

Regards

Ingo Oeser
-- 
Science is what we can tell a computer. Art is everything else. --- D.E.Knuth
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/

Re: Usage of get_user_pages() in fs/aio.c

[Benjamin LaHaise]

On Wed, Nov 06, 2002 at 09:15:38PM +0100, Ingo Oeser wrote:
> What this can cause is clear ;-)
> 
> Simple fix would be to replace "info->mmap_size" with "nr_pages",
> that you compute just some lines above.

Whoops.  Yeah, that's a bug.  It hasn't actually been noticed in 
testing because the array of pages is freshly allocated from mmap 
and thus stops filling the array at nr_pages, but it could be 
exploited by a hostile user.  I'll feed that patch up asap.

		-ben
-- 
"Do you seek knowledge in time travel?"
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/