Commit 146eb586 authored Nov 07, 2025 by Pavel Begunkov Committed by Jens Axboe Nov 07, 2025

io_uring: fix regbuf vector size truncation



There is a report of io_estimate_bvec_size() truncating the calculated
number of segments that leads to corruption issues. Check it doesn't
overflow "int"s used later. Rough but simple, can be improved on top.

Cc: stable@vger.kernel.org
Fixes: 9ef4cbbc ("io_uring: add infra for importing vectored reg buffers")
Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-458654612@google.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Günther Noack <gnoack@google.com>
Tested-by: Günther Noack <gnoack@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 1fd53673

io_uring/rsrc.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -1403,8 +1403,11 @@ static int io_estimate_bvec_size(struct iovec *iov, unsigned nr_iovs,
		size_t max_segs = 0;
		unsigned i;

		for (i = 0; i < nr_iovs; i++)
		for (i = 0; i < nr_iovs; i++) {
		max_segs += (iov[i].iov_len >> shift) + 2;
		if (max_segs > INT_MAX)
		return -EOVERFLOW;
		}
		return max_segs;
		}

		@@ -1510,7 +1513,11 @@ int io_import_reg_vec(int ddir, struct iov_iter *iter,
		if (unlikely(ret))
		return ret;
		} else {
		nr_segs = io_estimate_bvec_size(iov, nr_iovs, imu);
		int ret = io_estimate_bvec_size(iov, nr_iovs, imu);

		if (ret < 0)
		return ret;
		nr_segs = ret;
		}

		if (sizeof(struct bio_vec) > sizeof(struct iovec)) {