[PATCH] drm/i915/gvt: Prevent integer overflow in intel_vgpu_emulate_cfg_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The "offset" is a u32 that comes from the user.  The bug is that the
"offset + bytes" operation can have an integer overflow problem which
leads to an out of bounds access.

Fixes: 4d60c5fd3f87 ("drm/i915/gvt: vGPU PCI configuration space virtualization")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 drivers/gpu/drm/i915/gvt/cfg_space.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/i915/gvt/cfg_space.c b/drivers/gpu/drm/i915/gvt/cfg_space.c
index b490e3db2e38..8a54dd3de91c 100644
--- a/drivers/gpu/drm/i915/gvt/cfg_space.c
+++ b/drivers/gpu/drm/i915/gvt/cfg_space.c
@@ -316,6 +316,10 @@ int intel_vgpu_emulate_cfg_write(struct intel_vgpu *vgpu, unsigned int offset,
 	if (drm_WARN_ON(&i915->drm, bytes > 4))
 		return -EINVAL;
 
+	if (drm_WARN_ON(&i915->drm,
+			offset > vgpu->gvt->device_info.cfg_space_size))
+		return -EINVAL;
+
 	if (drm_WARN_ON(&i915->drm,
 			offset + bytes > vgpu->gvt->device_info.cfg_space_size))
 		return -EINVAL;
-- 
2.20.1




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux