Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
3
-
9223372036854775807
Description
ll_get_iov_memory calls iov_iter_get_pages_alloc2 and puts the result in a size_t, which is wrong because the return type is ssize_t (signed size_t).
The result is when iov_iter_get_pages_alloc2 returns EFAULT due to a bad userspace pointer, it is interpreted as a very large value of bytes:
if (bytes > 0) {
cdp->cdp_page_count = DIV_ROUND_UP(bytes + start, PAGE_SIZE);
if (user_backed_iter(iter))
iov_iter_revert(iter, bytes);
}
Which then calls iov_iter_revert(), generating a kernel warning for an insane value of bytes:
WARNING: CPU: 103 PID: 1628036 at lib/iov_iter.c:666 iov_iter_revert+0xcc/0xe0
However, ll_get_iov_memory returns a ssize_t and it is interpreted correctly by the caller, so this issue is limited to an erroneous warning, in the case where userspace provides a bad pointer, so the impact is minimal.