From: Dmitry Vyukov <dvyukov@google.com>
To: Benjamin LaHaise <bcrl@kvack.org>
Cc: Jan Kara <jack@suse.cz>, Alexander Viro <viro@zeniv.linux.org.uk>,
linux-aio <linux-aio@kvack.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>
Subject: Re: int overflow in io_getevents
Date: Thu, 7 Jan 2016 17:27:19 +0100 [thread overview]
Message-ID: <CACT4Y+YkNOd7k0bJof6F6ayt8fHrb-vU102+0PJAGw0B1471AA@mail.gmail.com> (raw)
In-Reply-To: <20160107155234.GM4439@kvack.org>
On Thu, Jan 7, 2016 at 4:52 PM, Benjamin LaHaise <bcrl@kvack.org> wrote:
> On Thu, Jan 07, 2016 at 04:37:43PM +0100, Dmitry Vyukov wrote:
>> pass ts to the function
>
> Yeah, I should have had my morning coffee before hitting send. Updated
> below, and hopefully final. Checked with a test program to confirm that
> the huge value of seconds in timespec correctly waits, and that negative
> or other invalid values fail with EINVAL (download from
> http://www.kvack.org/~bcrl/aio-io_getevents-timespec.c ).
>
> -ben
> --
> "Thought is the essence of where you are now."
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Thanks!
> commit 49b78150bc5762c58cfb8b19a859c354cf1a71ac
> Author: Benjamin LaHaise <bcrl@kvack.org>
> Date: Thu Jan 7 10:37:58 2016 -0500
>
> aio: handle integer overflow in io_getevents() timespec usage
>
> Dmitry Vyukov reported an integer overflow in io_getevents() when
> running a fuzzer. Upon investigation, the triggers appears to be that
> an invalid value for the tv_sec or tv_nsec was passed in which is not
> handled by timespec_to_ktime(). This patch fixes that by making
> io_getevents() return -EINVAL when timespec_valid() checks fail. We
> use timespec_valid() instead of timespec_valid_strict() to avoid issues
> caused by userspace not knowing the cutoff for KTIME_SEC_MAX.
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
>
> diff --git a/fs/aio.c b/fs/aio.c
> index 155f842..e0d5398 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -1269,6 +1269,8 @@ static long read_events(struct kioctx *ctx, long min_nr, long nr,
>
> if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
> return -EFAULT;
> + if (!timespec_valid(&ts))
> + return -EINVAL;
>
> until = timespec_to_ktime(ts);
> }
next prev parent reply other threads:[~2016-01-07 16:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-07 10:27 int overflow in io_getevents Dmitry Vyukov
2015-12-16 12:56 ` Jan Kara
2015-12-16 18:38 ` Dmitry Vyukov
2015-12-18 8:15 ` Jan Kara
2016-01-06 18:01 ` Benjamin LaHaise
2016-01-07 9:12 ` Dmitry Vyukov
2016-01-07 15:31 ` Benjamin LaHaise
2016-01-07 15:37 ` Dmitry Vyukov
2016-01-07 15:52 ` Benjamin LaHaise
2016-01-07 16:27 ` Dmitry Vyukov [this message]
2016-10-26 11:44 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+YkNOd7k0bJof6F6ayt8fHrb-vU102+0PJAGw0B1471AA@mail.gmail.com \
--to=dvyukov@google.com \
--cc=bcrl@kvack.org \
--cc=glider@google.com \
--cc=jack@suse.cz \
--cc=kcc@google.com \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).