* [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()
@ 2019-12-16 10:54 Jan Kara
2019-12-16 17:46 ` Al Viro
2019-12-17 17:57 ` David Howells
0 siblings, 2 replies; 3+ messages in thread
From: Jan Kara @ 2019-12-16 10:54 UTC (permalink / raw)
To: Al Viro; +Cc: David Howells, linux-fsdevel, Jan Kara
We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
ring_size load to a branch in iov_iter_alignment() where we've already
checked the iter is a pipe to avoid bogus dereference.
Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
Signed-off-by: Jan Kara <jack@suse.cz>
---
lib/iov_iter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Al, David, not sure who's going to merge this so sending to both :).
Honza
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index fb29c02c6a3c..51595bf3af85 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1222,11 +1222,12 @@ EXPORT_SYMBOL(iov_iter_discard);
unsigned long iov_iter_alignment(const struct iov_iter *i)
{
- unsigned int p_mask = i->pipe->ring_size - 1;
unsigned long res = 0;
size_t size = i->count;
if (unlikely(iov_iter_is_pipe(i))) {
+ unsigned int p_mask = i->pipe->ring_size - 1;
+
if (size && i->iov_offset && allocated(&i->pipe->bufs[i->head & p_mask]))
return size | i->iov_offset;
return size;
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()
2019-12-16 10:54 [PATCH] pipe: Fix bogus dereference in iov_iter_alignment() Jan Kara
@ 2019-12-16 17:46 ` Al Viro
2019-12-17 17:57 ` David Howells
1 sibling, 0 replies; 3+ messages in thread
From: Al Viro @ 2019-12-16 17:46 UTC (permalink / raw)
To: Jan Kara; +Cc: David Howells, linux-fsdevel
On Mon, Dec 16, 2019 at 11:54:32AM +0100, Jan Kara wrote:
> We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
> ring_size load to a branch in iov_iter_alignment() where we've already
> checked the iter is a pipe to avoid bogus dereference.
>
> Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
> Signed-off-by: Jan Kara <jack@suse.cz>
> ---
> lib/iov_iter.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> Al, David, not sure who's going to merge this so sending to both :).
Applied, will push tonight.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()
2019-12-16 10:54 [PATCH] pipe: Fix bogus dereference in iov_iter_alignment() Jan Kara
2019-12-16 17:46 ` Al Viro
@ 2019-12-17 17:57 ` David Howells
1 sibling, 0 replies; 3+ messages in thread
From: David Howells @ 2019-12-17 17:57 UTC (permalink / raw)
To: Jan Kara; +Cc: dhowells, Al Viro, linux-fsdevel
Jan Kara <jack@suse.cz> wrote:
> We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
> ring_size load to a branch in iov_iter_alignment() where we've already
> checked the iter is a pipe to avoid bogus dereference.
>
> Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
> Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: David Howells <dhowells@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-12-17 17:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-16 10:54 [PATCH] pipe: Fix bogus dereference in iov_iter_alignment() Jan Kara
2019-12-16 17:46 ` Al Viro
2019-12-17 17:57 ` David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).