Re: 2.6.32-KVM-pit_ioport_read() integer buffer overflow hole

Avi Kivity <avi@xxxxxxxxxx> · Tue, 26 Jan 2010 11:03:57 +0200

On 01/26/2010 10:59 AM, wzt wzt wrote:
Hi:
         In kernel 2.6.32 kernel/arch/x86/kvm/i8254.c， I found
pit_ioport_read maybe have a integer buffer overflow hole:

static int pit_ioport_read(struct kvm_io_device *this,
                           gpa_t addr, int len, void *data)
{
…
        if (len>  sizeof(ret))
                len = sizeof(ret);

        memcpy(data, (char *)&ret, len);  // if len is a negative(<  0),
  the data memory will be buffer overflow.
…
}

Is there any caller that can send a negative length, user- or guest- 
controlled?

--
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html