From 1ceed49ba94c139be274fe5eaf367201ab0042a6 Mon Sep 17 00:00:00 2001
From: Nicolas Lacasse <nlacasse@google.com>
Date: Thu, 28 Jun 2018 12:54:14 -0700
Subject: Check for invalid offset when submitting an AIO read/write request.

PiperOrigin-RevId: 202528335
Change-Id: Ic32312cf4337bcb40a7155cb2174e5cd89a280f7
---
 pkg/sentry/syscalls/linux/sys_aio.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'pkg/sentry/syscalls/linux')

diff --git a/pkg/sentry/syscalls/linux/sys_aio.go b/pkg/sentry/syscalls/linux/sys_aio.go
index 80407a082..470027206 100644
--- a/pkg/sentry/syscalls/linux/sys_aio.go
+++ b/pkg/sentry/syscalls/linux/sys_aio.go
@@ -319,6 +319,14 @@ func submitCallback(t *kernel.Task, id uint64, cb *ioCallback, cbAddr usermem.Ad
 		return err
 	}
 
+	// Check offset for reads/writes.
+	switch cb.OpCode {
+	case _IOCB_CMD_PREAD, _IOCB_CMD_PREADV, _IOCB_CMD_PWRITE, _IOCB_CMD_PWRITEV:
+		if cb.Offset < 0 {
+			return syserror.EINVAL
+		}
+	}
+
 	// Prepare the request.
 	ctx, ok := t.MemoryManager().LookupAIOContext(t, id)
 	if !ok {
-- 
cgit v1.2.3