readv/writev: do the same MAX_RW_COUNT truncation that read/write does
We used to protect against overflow, but rather than return an error, do what read/write does, namely to limit the total size to MAX_RW_COUNT. This is not only more consistent, but it also means that any broken low-level read/write routine that still keeps counts in 'int' can't break. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
f56f44001c
commit
435f49a518
3 changed files with 40 additions and 35 deletions
12
fs/compat.c
12
fs/compat.c
|
@ -606,14 +606,14 @@ ssize_t compat_rw_copy_check_uvector(int type,
|
|||
/*
|
||||
* Single unix specification:
|
||||
* We should -EINVAL if an element length is not >= 0 and fitting an
|
||||
* ssize_t. The total length is fitting an ssize_t
|
||||
* ssize_t.
|
||||
*
|
||||
* Be careful here because iov_len is a size_t not an ssize_t
|
||||
* In Linux, the total length is limited to MAX_RW_COUNT, there is
|
||||
* no overflow possibility.
|
||||
*/
|
||||
tot_len = 0;
|
||||
ret = -EINVAL;
|
||||
for (seg = 0; seg < nr_segs; seg++) {
|
||||
compat_ssize_t tmp = tot_len;
|
||||
compat_uptr_t buf;
|
||||
compat_ssize_t len;
|
||||
|
||||
|
@ -624,13 +624,13 @@ ssize_t compat_rw_copy_check_uvector(int type,
|
|||
}
|
||||
if (len < 0) /* size_t not fitting in compat_ssize_t .. */
|
||||
goto out;
|
||||
tot_len += len;
|
||||
if (tot_len < tmp) /* maths overflow on the compat_ssize_t */
|
||||
goto out;
|
||||
if (!access_ok(vrfy_dir(type), compat_ptr(buf), len)) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
}
|
||||
if (len > MAX_RW_COUNT - tot_len)
|
||||
len = MAX_RW_COUNT - tot_len;
|
||||
tot_len += len;
|
||||
iov->iov_base = compat_ptr(buf);
|
||||
iov->iov_len = (compat_size_t) len;
|
||||
uvector++;
|
||||
|
|
|
@ -243,8 +243,6 @@ SYSCALL_DEFINE5(llseek, unsigned int, fd, unsigned long, offset_high,
|
|||
* them to something that fits in "int" so that others
|
||||
* won't have to do range checks all the time.
|
||||
*/
|
||||
#define MAX_RW_COUNT (INT_MAX & PAGE_CACHE_MASK)
|
||||
|
||||
int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count)
|
||||
{
|
||||
struct inode *inode;
|
||||
|
@ -584,65 +582,71 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
|
|||
unsigned long nr_segs, unsigned long fast_segs,
|
||||
struct iovec *fast_pointer,
|
||||
struct iovec **ret_pointer)
|
||||
{
|
||||
{
|
||||
unsigned long seg;
|
||||
ssize_t ret;
|
||||
ssize_t ret;
|
||||
struct iovec *iov = fast_pointer;
|
||||
|
||||
/*
|
||||
* SuS says "The readv() function *may* fail if the iovcnt argument
|
||||
* was less than or equal to 0, or greater than {IOV_MAX}. Linux has
|
||||
* traditionally returned zero for zero segments, so...
|
||||
*/
|
||||
/*
|
||||
* SuS says "The readv() function *may* fail if the iovcnt argument
|
||||
* was less than or equal to 0, or greater than {IOV_MAX}. Linux has
|
||||
* traditionally returned zero for zero segments, so...
|
||||
*/
|
||||
if (nr_segs == 0) {
|
||||
ret = 0;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* First get the "struct iovec" from user memory and
|
||||
* verify all the pointers
|
||||
*/
|
||||
/*
|
||||
* First get the "struct iovec" from user memory and
|
||||
* verify all the pointers
|
||||
*/
|
||||
if (nr_segs > UIO_MAXIOV) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
if (nr_segs > fast_segs) {
|
||||
iov = kmalloc(nr_segs*sizeof(struct iovec), GFP_KERNEL);
|
||||
iov = kmalloc(nr_segs*sizeof(struct iovec), GFP_KERNEL);
|
||||
if (iov == NULL) {
|
||||
ret = -ENOMEM;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (copy_from_user(iov, uvector, nr_segs*sizeof(*uvector))) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* According to the Single Unix Specification we should return EINVAL
|
||||
* if an element length is < 0 when cast to ssize_t or if the
|
||||
* total length would overflow the ssize_t return value of the
|
||||
* system call.
|
||||
*/
|
||||
*
|
||||
* Linux caps all read/write calls to MAX_RW_COUNT, and avoids the
|
||||
* overflow case.
|
||||
*/
|
||||
ret = 0;
|
||||
for (seg = 0; seg < nr_segs; seg++) {
|
||||
void __user *buf = iov[seg].iov_base;
|
||||
ssize_t len = (ssize_t)iov[seg].iov_len;
|
||||
for (seg = 0; seg < nr_segs; seg++) {
|
||||
void __user *buf = iov[seg].iov_base;
|
||||
ssize_t len = (ssize_t)iov[seg].iov_len;
|
||||
|
||||
/* see if we we're about to use an invalid len or if
|
||||
* it's about to overflow ssize_t */
|
||||
if (len < 0 || (ret + len < ret)) {
|
||||
if (len < 0) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
if (unlikely(!access_ok(vrfy_dir(type), buf, len))) {
|
||||
ret = -EFAULT;
|
||||
goto out;
|
||||
goto out;
|
||||
}
|
||||
if (len > MAX_RW_COUNT - ret) {
|
||||
len = MAX_RW_COUNT - ret;
|
||||
iov[seg].iov_len = len;
|
||||
}
|
||||
|
||||
ret += len;
|
||||
}
|
||||
}
|
||||
out:
|
||||
*ret_pointer = iov;
|
||||
return ret;
|
||||
|
|
|
@ -1867,6 +1867,7 @@ extern int current_umask(void);
|
|||
/* /sys/fs */
|
||||
extern struct kobject *fs_kobj;
|
||||
|
||||
#define MAX_RW_COUNT (INT_MAX & PAGE_CACHE_MASK)
|
||||
extern int rw_verify_area(int, struct file *, loff_t *, size_t);
|
||||
|
||||
#define FLOCK_VERIFY_READ 1
|
||||
|
|
Loading…
Reference in a new issue