Description of problem: This doesn't look correct, the io_submit systemcall calls do_io_submit() directly: SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr, struct iocb __user * __user *, iocbpp) { return do_io_submit(ctx_id, nr, iocbpp, 0); } do_io_submit only checks if nr < 0, but doesnt check if the access_ok multiplication will overflow. long do_io_submit(aio_context_t ctx_id, long nr, struct iocb __user *__user *iocbpp, bool compat) { ... if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) return -EFAULT; ... Then it uses this loop with __get_user_nocheck(), which doesn't look safe. ... for (i=0; i<nr; i++) { struct iocb __user *user_iocb; struct iocb tmp; if (unlikely(__get_user(user_iocb, iocbpp + i))) { ret = -EFAULT; break; } ... Acknowledgements: Red Hat would like to thank Tavis Ormandy for reporting this issue.
Now public: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=75e1c70fc31490ef8a373ea2a4bea2524099b478
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0758 https://rhn.redhat.com/errata/RHSA-2010-0758.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0779 https://rhn.redhat.com/errata/RHSA-2010-0779.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0839 https://rhn.redhat.com/errata/RHSA-2010-0839.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html