Re: [PATCH] vfio: hisi_acc_vfio_pci: fix integer overflow check in hisi_acc_vf_resume_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 05, 2022 at 12:05:28PM +0300, Dan Carpenter wrote:
> The casting on this makes the integer overflow check slightly wrong.
> "len" is an unsigned long. "*pos" and "requested_length" are signed
> long longs.  Imagine "len" is ULONG_MAX and "*pos" is 2.
> "ULONG_MAX + 2 = 1". 

I wonder if this can happen, len is a kernel controlled value bounded
by a memory allocation..

> Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---

This code was copy and pasted from drivers/vfio/pci/mlx5/main.c, so it
should be fixed too

> It is strange that we are doing:
> 
> 	pos = &filp->f_pos;
>
> instead of using the passed in value of pos.  

IIRC the way we have the struct file configured the pos argument is
NULL.

Jason



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux