From 43966c63cf5f0b3985844abf2a7c433a877de534 Mon Sep 17 00:00:00 2001 From: Zhen Lei Date: Tue, 19 Feb 2019 11:07:20 +0800 Subject: [PATCH] aio: make sure the input "timeout" value is valid euler inclusion category: bugfix bugzilla: NA CVE: NA ------------------------------------------------------------------------- UBSAN: Undefined behaviour in include/linux/ktime.h:55:34 signed integer overflow: -4971973988617027584 * 1000000000 cannot be represented in type 'long int' ...... [] timespec_to_ktime include/linux/ktime.h:55 [inline] [] read_events+0x4c8/0x5d0 fs/aio.c:1269 [] SYSC_io_getevents fs/aio.c:1733 [inline] [] SyS_io_getevents+0xd4/0x218 fs/aio.c:1722 Signed-off-by: Zhen Lei [Conflicts: fs/aio.c fs/compat.c Rebuild patch to apply for 4.19. ] Signed-off-by: yangerkun Reviewed-by: Yang Yingliang Signed-off-by: Yang Yingliang --- fs/aio.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/aio.c b/fs/aio.c index 44551d96eaa4..0ebf195fb371 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -2040,16 +2040,25 @@ static long do_io_getevents(aio_context_t ctx_id, struct io_event __user *events, struct timespec64 *ts) { - ktime_t until = ts ? timespec64_to_ktime(*ts) : KTIME_MAX; struct kioctx *ioctx = lookup_ioctx(ctx_id); long ret = -EINVAL; if (likely(ioctx)) { + ktime_t until; + + if (!ts) + until = KTIME_MAX; + else if (!timespec64_valid(ts)) + goto out; + else + until = timespec64_to_ktime(*ts); + if (likely(min_nr <= nr && min_nr >= 0)) ret = read_events(ioctx, min_nr, nr, events, until); percpu_ref_put(&ioctx->users); } +out: return ret; } -- GitLab