aio: Add aio sanity checks

Check nr in aio header during dump and correctness of tail, head and nr during restore. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

aio: Add aio sanity checks
Check nr in aio header during dump and correctness of tail, head and nr during restore. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
b6386369 · Kirill Tkhai · Pavel Emelyanov · 3a7968d4 · b6386369 · b6386369
Commit b6386369 authored Mar 28, 2016 by Kirill Tkhai Committed by Pavel Emelyanov Apr 07, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 5 deletions

aio.c criu/aio.c +1 -0

parasite.h criu/include/parasite.h +1 -0

parasite.c criu/pie/parasite.c +11 -4

restorer.c criu/pie/restorer.c +10 -1

No files found.
--- a/criu/aio.c
+++ b/criu/aio.c
@@ -99,6 +99,7 @@ int parasite_collect_aios(struct parasite_ctl *ctl, struct vm_area_list *vmas)
 		pr_debug(" `- Ring #%ld @%"PRIx64"\n",
 				(long)(pa - &aa->ring[0]), vma->e->start);
 		pa->ctx = vma->e->start;
+		pa->size = vma->e->end - vma->e->start;
 		pa->max_reqs = 0;
 		pa->vma_nr_reqs = &vma->aio_nr_req;
 		pa++;

--- a/criu/include/parasite.h
+++ b/criu/include/parasite.h
@@ -139,6 +139,7 @@ struct parasite_dump_posix_timers_args {
 struct parasite_aio {
 	unsigned long ctx;
+	unsigned int size;
 	unsigned int max_reqs;
 	unsigned int *vma_nr_reqs;
 };

--- a/criu/pie/parasite.c
+++ b/criu/pie/parasite.c
@@ -385,12 +385,18 @@ static inline int tty_ioctl(int fd, int cmd, int *arg)
 #define AIO_RING_COMPAT_FEATURES	1
 #define AIO_RING_INCOMPAT_FEATURES	0
-static int sane_ring(struct aio_ring *ring)
+static int sane_ring(struct parasite_aio *aio)
 {
+	struct aio_ring *ring = (struct aio_ring *)aio->ctx;
+	unsigned nr;
+	nr = (aio->size - sizeof(struct aio_ring)) / sizeof(struct io_event);
 	return ring->magic == AIO_RING_MAGIC &&
 		ring->compat_features == AIO_RING_COMPAT_FEATURES &&
 		ring->incompat_features == AIO_RING_INCOMPAT_FEATURES &&
-		ring->header_length == sizeof(struct aio_ring);
+		ring->header_length == sizeof(struct aio_ring) &&
+		ring->nr == nr;
 }
 static int parasite_check_aios(struct parasite_check_aios_args *args)
@@ -401,12 +407,13 @@ static int parasite_check_aios(struct parasite_check_aios_args *args)
 		struct aio_ring *ring;
 		ring = (struct aio_ring *)args->ring[i].ctx;
-		if (!sane_ring(ring)) {
+		if (!sane_ring(&args->ring[i])) {
 			pr_err("Not valid ring #%d\n", i);
 			pr_info(" `- magic %x\n", ring->magic);
 			pr_info(" `- cf    %d\n", ring->compat_features);
 			pr_info(" `- if    %d\n", ring->incompat_features);
-			pr_info(" `- size  %d (%zd)\n", ring->header_length, sizeof(struct aio_ring));
+			pr_info(" `- header size  %d (%zd)\n", ring->header_length, sizeof(struct aio_ring));
+			pr_info(" `- nr    %d\n", ring->nr);
 			return -1;
 		}

--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -556,7 +556,7 @@ static unsigned long restore_mapping(const VmaEntry *vma_entry)
 */
 static int restore_aio_ring(struct rst_aio_ring *raio)
 {
-	struct aio_ring *ring = (void *)raio->addr;
+	struct aio_ring *ring = (void *)raio->addr, *new;
 	int i, maxr, count, fd, ret;
 	unsigned head = ring->head;
 	unsigned tail = ring->tail;
@@ -571,6 +571,15 @@ static int restore_aio_ring(struct rst_aio_ring *raio)
 		return -1;
 	}
+	new = (struct aio_ring *)ctx;
+	i = (raio->len - sizeof(struct aio_ring)) / sizeof(struct io_event);
+	if (tail >= ring->nr || head >= ring->nr || ring->nr != i ||
+	    new->nr != ring->nr) {
+		pr_err("wrong aio parametrs: tail=%x head=%x nr=%x len=%lx\n",
+			tail, head, raio->nr_req, raio->len);
+		return -1;
+	}
 	if (tail == 0 && head == 0)
 		goto populate;