]> www.infradead.org Git - users/dwmw2/linux.git/commit
projects / users / dwmw2 / linux.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 67afa25) | patch
io_uring: prevent re-read of sqe->opcode
authorJens Axboe <axboe@kernel.dk>
Wed, 5 Aug 2020 18:34:09 +0000 (12:34 -0600)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 11 Aug 2020 13:33:32 +0000 (15:33 +0200)
commita4d61e66ee4a66cca7c94d41fab474cd554edda7
tree41d178bffe4418b4b5fedd914d6f992622640e69tree
parent67afa25456d01f6e53c57a75e0242bb21ce9e649commit | diff
io_uring: prevent re-read of sqe->opcode

Liu reports that he can trigger a NULL pointer dereference with
IORING_OP_SENDMSG, by changing the sqe->opcode after we've validated
that the previous opcode didn't need a file and didn't assign one.

Ensure we validate and read the opcode only once.

Reported-by: Liu Yong <pkfxxxing@gmail.com>
Tested-by: Liu Yong <pkfxxxing@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/io_uring.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.