The "offset" is a u32 that comes from the user. The bug is that the
"offset + bytes" operation can have an integer overflow problem which
leads to an out of bounds access.
Fixes: 4d60c5fd3f87 ("drm/i915/gvt: vGPU PCI configuration space virtualization")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/gpu/drm/i915/gvt/cfg_space.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/i915/gvt/cfg_space.c b/drivers/gpu/drm/i915/gvt/cfg_space.c
index b490e3db2e38..8a54dd3de91c 100644
--- a/drivers/gpu/drm/i915/gvt/cfg_space.c
+++ b/drivers/gpu/drm/i915/gvt/cfg_space.c
@@ -316,6 +316,10 @@ int intel_vgpu_emulate_cfg_write(struct intel_vgpu *vgpu, unsigned int offset,
if (drm_WARN_ON(&i915->drm, bytes > 4))
return -EINVAL;
+ if (drm_WARN_ON(&i915->drm,
+ offset > vgpu->gvt->device_info.cfg_space_size))
+ return -EINVAL;
+
if (drm_WARN_ON(&i915->drm,
offset + bytes > vgpu->gvt->device_info.cfg_space_size))
return -EINVAL;
--
2.20.1
