Thank you for your bug report. I've added Martyn and Manohar to the CC list. On Sat, Feb 23, 2013 at 06:53:18PM +0100, ternaryd wrote: > Hi, > > In vme.c, function vme_master_set(), vme_check_window() is called, > where invalid restrictions are applied. In case of address space > VME_A16, vme_base + size must not exceed VME_A16_MAX, which is defined > in include/linux/vme.h to 0x10000ULL. The second test is never > evaluated. > I looked at the assembly and I think the second test is evaluated. It looks like it's testing for integer overflow, but not correctly. A large value of size (which comes directly from the user in vme_user_ioctl()) could make vme_base + size wrap to a low number. It should be: if (size > VME_A16_MAX || vme_base > VME_A16_MAX || size + vme_base > VME_A16_MAX) retval = -EFAULT; That way it can't overflow. Presumably only root can call vme_master_set() so this isn't a security bug. > As slave windows must not overlap, this means that there can not be > more than one window in this address space on any VME bus member, > because the only valid base address would be 0x0. The correct test > should be the maximum value of a 64-bit unsigned integer plus 1, minus > 0xffff; and if checking is already done, maybe some alignment test > could help. Other than this, the call to vme_check_window() could also > be eliminated. I'm not sure how vme works so hopefully someone else can comment on this. regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
