Skip to content

Commit 9c280f9

Browse files
isilenceaxboe
isilence
authored and
axboe
committed
io_uring: don't read user-shared sqe flags twice
Don't re-read userspace-shared sqe->flags, it can be exploited. sqe->flags are copied into req->flags in io_submit_sqe(), check them there instead. Signed-off-by: Pavel Begunkov <[email protected]> Signed-off-by: Jens Axboe <[email protected]>
1 parent 0553b8b commit 9c280f9

File tree

1 file changed

+8
-12
lines changed

1 file changed

+8
-12
lines changed

fs/io_uring.c

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2931,7 +2931,7 @@ static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
29312931

29322932
if (sqe->ioprio || sqe->buf_index)
29332933
return -EINVAL;
2934-
if (sqe->flags & IOSQE_FIXED_FILE)
2934+
if (req->flags & REQ_F_FIXED_FILE)
29352935
return -EBADF;
29362936
if (req->flags & REQ_F_NEED_CLEANUP)
29372937
return 0;
@@ -2964,7 +2964,7 @@ static int io_openat2_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
29642964

29652965
if (sqe->ioprio || sqe->buf_index)
29662966
return -EINVAL;
2967-
if (sqe->flags & IOSQE_FIXED_FILE)
2967+
if (req->flags & REQ_F_FIXED_FILE)
29682968
return -EBADF;
29692969
if (req->flags & REQ_F_NEED_CLEANUP)
29702970
return 0;
@@ -3318,7 +3318,7 @@ static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
33183318

33193319
if (sqe->ioprio || sqe->buf_index)
33203320
return -EINVAL;
3321-
if (sqe->flags & IOSQE_FIXED_FILE)
3321+
if (req->flags & REQ_F_FIXED_FILE)
33223322
return -EBADF;
33233323
if (req->flags & REQ_F_NEED_CLEANUP)
33243324
return 0;
@@ -3395,7 +3395,7 @@ static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
33953395
if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
33963396
sqe->rw_flags || sqe->buf_index)
33973397
return -EINVAL;
3398-
if (sqe->flags & IOSQE_FIXED_FILE)
3398+
if (req->flags & REQ_F_FIXED_FILE)
33993399
return -EBADF;
34003400

34013401
req->close.fd = READ_ONCE(sqe->fd);
@@ -5366,15 +5366,10 @@ static int io_file_get(struct io_submit_state *state, struct io_kiocb *req,
53665366
}
53675367

53685368
static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
5369-
const struct io_uring_sqe *sqe)
5369+
int fd, unsigned int flags)
53705370
{
5371-
unsigned flags;
5372-
int fd;
53735371
bool fixed;
53745372

5375-
flags = READ_ONCE(sqe->flags);
5376-
fd = READ_ONCE(sqe->fd);
5377-
53785373
if (!io_req_needs_file(req, fd))
53795374
return 0;
53805375

@@ -5616,7 +5611,7 @@ static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
56165611
{
56175612
struct io_ring_ctx *ctx = req->ctx;
56185613
unsigned int sqe_flags;
5619-
int ret, id;
5614+
int ret, id, fd;
56205615

56215616
sqe_flags = READ_ONCE(sqe->flags);
56225617

@@ -5647,7 +5642,8 @@ static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
56475642
IOSQE_ASYNC | IOSQE_FIXED_FILE |
56485643
IOSQE_BUFFER_SELECT);
56495644

5650-
ret = io_req_set_file(state, req, sqe);
5645+
fd = READ_ONCE(sqe->fd);
5646+
ret = io_req_set_file(state, req, fd, sqe_flags);
56515647
if (unlikely(ret)) {
56525648
err_req:
56535649
io_cqring_add_event(req, ret);

0 commit comments

Comments
 (0)