aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAlan Somers <asomers@FreeBSD.org>2021-01-10 03:23:05 +0000
committerAlan Somers <asomers@FreeBSD.org>2021-01-12 02:53:01 +0000
commitff1a307801994e18a87929898225f09d31f3e1fa (patch)
treee7d272e3acf2cb11e23b6f91a4881e0a3653de62 /sys
parent292808246db702b9194deb8938e40fd06914aea9 (diff)
downloadsrc-ff1a307801994e18a87929898225f09d31f3e1fa.tar.gz
src-ff1a307801994e18a87929898225f09d31f3e1fa.zip
lio_listio: validate aio_lio_opcode
Previously, we would accept any kind of LIO_* opcode, including ones that were intended for in-kernel use only like LIO_SYNC (which is not defined in userland). The situation became more serious with 022ca2fc7fe08d51f33a1d23a9be49e6d132914e. After that revision, setting aio_lio_opcode to LIO_WRITEV or LIO_READV would trigger an assertion. Note that POSIX does not specify what should happen if aio_lio_opcode is invalid. MFC-with: 022ca2fc7fe08d51f33a1d23a9be49e6d132914e Reviewed by: jhb, tmunro, 0mp Differential Revision: <https://reviews.freebsd.org/D28078
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/vfs_aio.c20
-rw-r--r--sys/sys/aio.h2
2 files changed, 16 insertions, 6 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 8666d6ea4217..bc0d7e04c9d5 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1556,16 +1556,26 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj,
goto err2;
}
+ /* Get the opcode. */
+ if (type == LIO_NOP) {
+ switch (job->uaiocb.aio_lio_opcode) {
+ case LIO_WRITE:
+ case LIO_NOP:
+ case LIO_READ:
+ opcode = job->uaiocb.aio_lio_opcode;
+ break;
+ default:
+ error = EINVAL;
+ goto err2;
+ }
+ } else
+ opcode = job->uaiocb.aio_lio_opcode = type;
+
ksiginfo_init(&job->ksi);
/* Save userspace address of the job info. */
job->ujob = ujob;
- /* Get the opcode. */
- if (type != LIO_NOP)
- job->uaiocb.aio_lio_opcode = type;
- opcode = job->uaiocb.aio_lio_opcode;
-
/*
* Validate the opcode and fetch the file object for the specified
* file descriptor.
diff --git a/sys/sys/aio.h b/sys/sys/aio.h
index dbfbadcd1254..ee928b8bf846 100644
--- a/sys/sys/aio.h
+++ b/sys/sys/aio.h
@@ -43,7 +43,7 @@
#define LIO_NOP 0x0
#define LIO_WRITE 0x1
#define LIO_READ 0x2
-#ifdef _KERNEL
+#if defined(_KERNEL) || defined(_WANT_ALL_LIO_OPCODES)
#define LIO_SYNC 0x3
#define LIO_MLOCK 0x4
#define LIO_WRITEV 0x5