The VFIO_DEVICE_SET_IRQS and VFIO_DEVICE_GET_PCI_HOT_RESET_INFO ioctls do not sufficiently sanitize user-supplied integers, allowing users to read arbitrary amounts of kernel heap memory or cause a crash. Signed-off-by: Vlad Tsyrklevich <vlad@xxxxxxxxxxxxxxx> --- drivers/vfio/pci/vfio_pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index d624a52..c3fbfb8 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -838,6 +838,7 @@ static long vfio_pci_ioctl(void *device_data, return -EFAULT; if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS || + hdr.count >= (U32_MAX - hdr.start) || hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK | VFIO_IRQ_SET_ACTION_TYPE_MASK)) return -EINVAL; @@ -909,6 +910,9 @@ static long vfio_pci_ioctl(void *device_data, WARN_ON(!fill.max); /* Should always be at least one */ + if (hdr.count > fill.max) + hdr.count = fill.max; + /* * If there's enough space, fill it now, otherwise return * -ENOSPC and the number of devices affected. -- 2.7.0 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
