diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-24 14:00:13 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-24 14:00:13 -0700 |
commit | 10b5b5361a3c2a7fff9dbfa0f127adc2531e7732 (patch) | |
tree | f40dc0f8b3ef1a7fd3154d2231c08e0cf7e04b09 | |
parent | b4b664bef407bc80f325b2f2ab9350823c2869de (diff) | |
parent | edfbbf388f293d70bf4b7c0bc38774d05e6f711a (diff) |
Merge git://git.kvack.org/~bcrl/aio-fixes
Pull aio fixes from Ben LaHaise:
"These fix a kernel memory disclosure issue (arbitrary kmap() &
copy_to_user()) revealed in CVE-2014-0206 by changes that were
introduced in v3.10"
* git://git.kvack.org/~bcrl/aio-fixes:
aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
aio: fix aio request leak when events are reaped by userspace
-rw-r--r-- | fs/aio.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) /* everything turned out well, dispose of the aiocb. */ kiocb_free(iocb); + put_reqs_available(ctx, 1); /* * We have to order our ring_info tail store above and test @@ -1062,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx, if (head == tail) goto out; + head %= ctx->nr_events; + tail %= ctx->nr_events; + while (ret < nr) { long avail; struct io_event *ev; @@ -1100,8 +1104,6 @@ static long aio_read_events_ring(struct kioctx *ctx, flush_dcache_page(ctx->ring_pages[0]); pr_debug("%li h%u t%u\n", ret, head, tail); - - put_reqs_available(ctx, ret); out: mutex_unlock(&ctx->ring_lock); |