Hi:
In kernel 2.6.32 kernel/arch/x86/kvm/i8254.c, I found
pit_ioport_read maybe have a integer buffer overflow hole:
static int pit_ioport_read(struct kvm_io_device *this,
gpa_t addr, int len, void *data)
{
…
if (len > sizeof(ret))
len = sizeof(ret);
memcpy(data, (char *)&ret, len); // if len is a negative(< 0),
the data memory will be buffer overflow.
…
}
static const struct kvm_io_device_ops pit_dev_ops = {
.read = pit_ioport_read,
.write = pit_ioport_write,
};
The same bug also in speaker_ioport_read() function:
static int speaker_ioport_read(struct kvm_io_device *this,
gpa_t addr, int len, void *data)
{
…
if (len > sizeof(ret))
len = sizeof(ret);
memcpy(data, (char *)&ret, len);
…
}
static const struct kvm_io_device_ops speaker_dev_ops = {
.read = speaker_ioport_read,
.write = speaker_ioport_write,
};
My patch is:
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 296aba4..bf8637f 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -463,6 +463,8 @@ static int pit_ioport_read(struct kvm_io_device *this,
struct kvm *kvm = pit->kvm;
int ret, count;
struct kvm_kpit_channel_state *s;
+ if (len < 0)
+ return -EOPNOTSUPP;
if (!pit_in_range(addr))
return -EOPNOTSUPP;
@@ -516,6 +518,7 @@ static int pit_ioport_read(struct kvm_io_device *this,
if (len > sizeof(ret))
len = sizeof(ret);
+
memcpy(data, (char *)&ret, len);
mutex_unlock(&pit_state->lock);
@@ -547,6 +550,9 @@ static int speaker_ioport_read(struct kvm_io_device *this,
struct kvm *kvm = pit->kvm;
unsigned int refresh_clock;
int ret;
+
+ if (len < 0)
+ return -EOPNOTSUPP;
if (addr != KVM_SPEAKER_BASE_ADDRESS)
return -EOPNOTSUPP;
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
