Re: [PATCH] vfio/qat: fix overflow check in qat_vf_resume_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 21 Oct 2024 13:37:53 +0100
Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx> wrote:

> The unsigned variable `size_t len` is cast to the signed type `loff_t`
> when passed to the function check_add_overflow(). This function considers
> the type of the destination, which is of type loff_t (signed),
> potentially leading to an overflow. This issue is similar to the one
> described in the link below.
> 
> Remove the cast.
> 
> Note that even if check_add_overflow() is bypassed, by setting `len` to
> a value that is greater than LONG_MAX (which is considered as a negative
> value after the cast), the function copy_from_user(), invoked a few lines
> later, will not perform any copy and return `len` as (len > INT_MAX)
> causing qat_vf_resume_write() to fail with -EFAULT.
> 
> Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices")
> CC: stable@xxxxxxxxxxxxxxx # 6.10+
> Link: https://lore.kernel.org/all/138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mountain
> Reported-by: Zijie Zhao <zzjas98@xxxxxxxxx>
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx>
> Reviewed-by: Xin Zeng <xin.zeng@xxxxxxxxx>
> ---
>  drivers/vfio/pci/qat/main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c
> index e36740a282e7..1e3563fe7cab 100644
> --- a/drivers/vfio/pci/qat/main.c
> +++ b/drivers/vfio/pci/qat/main.c
> @@ -305,7 +305,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf,
>  	offs = &filp->f_pos;
>  
>  	if (*offs < 0 ||
> -	    check_add_overflow((loff_t)len, *offs, &end))
> +	    check_add_overflow(len, *offs, &end))
>  		return -EOVERFLOW;
>  
>  	if (end > mig_dev->state_size)

Applied to vfio next branch for v6.13.  Thanks,

Alex





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux