From: Jeff Moyer <jmoyer@redhat.com> Date: Thu, 16 Sep 2010 20:21:15 -0400 Subject: [fs] aio: check for multiplication overflow in io_submit Message-id: <x49ocbxtp6s.fsf@segfault.boston.devel.redhat.com> Patchwork-id: 28274 O-Subject: [rhel5 patch] aio: check for multiplication overflow in io_submit Bugzilla: 629449 RH-Acked-by: Eric Sandeen <sandeen@redhat.com> Hi, This is a backport of the following upstream commit: commit 75e1c70fc31490ef8a373ea2a4bea2524099b478 Author: Jeff Moyer <jmoyer@redhat.com> Date: Fri Sep 10 14:16:00 2010 -0700 aio: check for multiplication overflow in do_io_submit Tavis Ormandy pointed out that do_io_submit does not do proper bounds checking on the passed in iocb array: if (unlikely(nr < 0)) return -EINVAL; if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) return -EFAULT; ^^^^^^^^^^^^^^^^^^^^ The attached patch ensures that that multiplication doesn't overflow by limiting nr if it does. This is an ok thing to do, as sys_io_submit is documented as returning the number of iocbs submitted, so callers should handle a return value of less than the 'nr' argument passed in. Cheers, Jeff Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/fs/aio.c b/fs/aio.c index a4386b6..aa2d9d3 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1816,6 +1816,10 @@ asmlinkage long sys_io_submit(aio_context_t ctx_id, long nr, if (unlikely(nr < 0)) return -EINVAL; + /* Check for overflow */ + if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) + nr = LONG_MAX/sizeof(*iocbpp); + if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) return -EFAULT;