If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.
+ /*
+ * Overflow, abort
+ */
+ if (end < start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
len += iov[i].iov_len;
}
@@ -939,6 +945,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;
+ /*
+ * Overflow, abort
+ */
+ if (end < start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* buffer must be aligned to at least hardsector size for now
@@ -966,7 +978,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long start = uaddr >> PAGE_SHIFT;
const int local_nr_pages = end - start;
const int page_limit = cur_page + local_nr_pages;
-
+
ret = get_user_pages_fast(uaddr, local_nr_pages,
write_to_vm, &pages[cur_page]);
if (ret < local_nr_pages) {
--
1.7.0.4
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
02-18-2011, 06:49 PM
Tim Gardner
bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
BugLink: http://bugs.launchpad.net/bugs/721441
CVE-2010-4162
backported from commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.
diff --git a/fs/bio.c b/fs/bio.c
index d59ddbf..2c8224c 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -609,6 +609,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;
+ /*
+ * Overflow, abort
+ */
+ if (end < start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* buffer must be aligned to at least hardsector size for now
--
1.7.0.4
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
02-18-2011, 06:57 PM
Tim Gardner
bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
BugLink: http://bugs.launchpad.net/bugs/721441
CVE-2010-4162
backport of commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.
diff --git a/fs/bio.c b/fs/bio.c
index 460554b..f776d0a 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -574,6 +574,12 @@ static struct bio *__bio_map_user_iov(request_queue_t *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;
+ /*
+ * Overflow, abort
+ */
+ if (end < start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* transfer and buffer must be aligned to at least hardsector
--
1.7.0.4
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
