Hi,
On Fri, Mar 04, 2022 at 01:10:50AM +0200, Martin Radev wrote:
> This patch verifies that adding the addr and length arguments
> from an MMIO op do not overflow. This is necessary because the
> arguments are controlled by the VM. The length may be set to
> an arbitrary value by using the rep prefix.
>
> Signed-off-by: Martin Radev <martin.b.radev@xxxxxxxxx>
The patch looks correct to me:
Reviewed-by: Alexandru Elisei <alexandru.elisei@xxxxxxx>
Thanks,
Alex
> ---
> mmio.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/mmio.c b/mmio.c
> index a6dd3aa..5a114e9 100644
> --- a/mmio.c
> +++ b/mmio.c
> @@ -32,6 +32,10 @@ static struct mmio_mapping *mmio_search(struct rb_root *root, u64 addr, u64 len)
> {
> struct rb_int_node *node;
>
> + /* If len is zero or if there's an overflow, the MMIO op is invalid. */
> + if (addr + len <= addr)
> + return NULL;
> +
> node = rb_int_search_range(root, addr, addr + len);
> if (node == NULL)
> return NULL;
> --
> 2.25.1
>
