AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
[backported to 3.10 - willy]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to apply CVE]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Id33753f8d0c1cbd1496a33e231dacceb46139dcb

diff --git a/fs/aio.c b/fs/aio.c
index ded94c4..9798d4e 100644 (file)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
 
 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
 {
-       if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
-               return -EFAULT;
+       size_t len = kiocb->ki_nbytes;
+
+       if (len > MAX_RW_COUNT)
+               len = MAX_RW_COUNT;
+
+       if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
+                return -EFAULT;
 
        kiocb->ki_iovec = &kiocb->ki_inline_vec;
        kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-       kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
+       kiocb->ki_iovec->iov_len = len;
        kiocb->ki_nr_segs = 1;
        return 0;
 }