From: Bijan Mottahedeh bijan.mottahedeh@oracle.com
mainline inclusion from mainline-5.8-rc1 commit efe68c1ca8f49e8c06afd74b699411bfbb8ba1ff category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
Account for the number of provided buffers when validating the address range.
Signed-off-by: Bijan Mottahedeh bijan.mottahedeh@oracle.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 4fccfac7aca0..1d2d6fc42350 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3147,7 +3147,7 @@ static int io_provide_buffers_prep(struct io_kiocb *req, p->addr = READ_ONCE(sqe->addr); p->len = READ_ONCE(sqe->len);
- if (!access_ok(u64_to_user_ptr(p->addr), p->len)) + if (!access_ok(u64_to_user_ptr(p->addr), (p->len * p->nbufs))) return -EFAULT;
p->bgid = READ_ONCE(sqe->buf_group);