This patch verifies that adding the addr and length arguments
from an MMIO op do not overflow. This is necessary because the
arguments are controlled by the VM. The length may be set to
an arbitrary value by using the rep prefix.
Signed-off-by: Martin Radev <martin.b.radev@xxxxxxxxx>
---
mmio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/mmio.c b/mmio.c
index a6dd3aa..5a114e9 100644
--- a/mmio.c
+++ b/mmio.c
@@ -32,6 +32,10 @@ static struct mmio_mapping *mmio_search(struct rb_root *root, u64 addr, u64 len)
{
struct rb_int_node *node;
+ /* If len is zero or if there's an overflow, the MMIO op is invalid. */
+ if (addr + len <= addr)
+ return NULL;
+
node = rb_int_search_range(root, addr, addr + len);
if (node == NULL)
return NULL;
--
2.25.1
