io_uring: fix regbuf vector size truncation - user/sven/linux.git

diff options

author	Pavel Begunkov <asml.silence@gmail.com>	2025-11-07 18:41:26 +0000
committer	Jens Axboe <axboe@kernel.dk>	2025-11-07 17:17:13 -0700
commit	146eb58629f45f8297e83d69e64d4eea4b28d972 (patch)
tree	535b9a688444edf6b4cba37695920c3370473d48 /net/unix/af_unix.c
parent	1fd5367391bf0eeb09e624c4ab45121b54eaab96 (diff)

io_uring: fix regbuf vector size truncation

There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow "int"s used later. Rough but simple, can be improved on top. Cc: stable@vger.kernel.org Fixes: 9ef4cbbcb4ac3 ("io_uring: add infra for importing vectored reg buffers") Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-458654612@google.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: Günther Noack <gnoack@google.com> Tested-by: Günther Noack <gnoack@google.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: