block: check for proper length of iov entries in blk_rq_map_user_iov()
Jens Axboe [Fri, 29 Oct 2010 14:10:18 +0000 (08:10 -0600)]
Ensure that we pass down properly validated iov segments before
calling into the mapping or copy functions.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>

block/blk-map.c

index d4a586d..5d5dbe4 100644 (file)
@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
                        unaligned = 1;
                        break;
                }
+               if (!iov[i].iov_len)
+                       return -EINVAL;
        }
 
        if (unaligned || (q->dma_pad_mask & len) || map_data)