Headline
CVE-2022-4127: [PATCH] io_uring: check that we have a file table when allocating update slots
A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.
From: Jens Axboe [email protected] To: io-uring [email protected] Cc: Xiaoguang Wang [email protected] Subject: [PATCH] io_uring: check that we have a file table when allocating update slots Date: Sat, 9 Jul 2022 07:09:54 -0600 [thread overview] Message-ID: [email protected] (raw)
If IORING_FILE_INDEX_ALLOC is set asking for an allocated slot, the helper doesn’t check if we actually have a file table or not. The non alloc path does do that correctly, and returns -ENXIO if we haven’t set one up.
Do the same for the allocated path, avoiding a NULL pointer dereference when trying to find a free bit.
Fixes: a7c41b4687f5 (“io_uring: let IORING_OP_FILES_UPDATE support choosing fixed file slots”) Signed-off-by: Jens Axboe [email protected]
fs/io_uring.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c index cddc0e8490af…a01ea49f3017 100644 — a/fs/io_uring.c +++ b/fs/io_uring.c @@ -7973,6 +7973,9 @@ static int io_files_update_with_index_alloc(struct io_kiocb *req, struct file *file; int ret, fd;
- if (!req->ctx->file_data)
return -ENXIO;- for (done = 0; done < req->rsrc_update.nr_args; done++) { if (copy_from_user(&fd, &fds[done], sizeof(fd))) { ret = -EFAULT; – 2.35.1
– Jens Axboe
reply other threads:\[~2022-07-09 13:10 UTC|newest\]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email using any one of the following methods:
* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):
git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.