In vfio_pci_ioctl() there is a potential integer underflow where we
might allocate less data than intended. We check that hdr.count is not
too large, but we don't check whether it is negative:
drivers/vfio/pci/vfio_pci.c
312 if (hdr.argsz - minsz < hdr.count * size ||
313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
314 return -EINVAL;
315
316 data = kmalloc(hdr.count * size, GFP_KERNEL);
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
diff --git a/include/linux/vfio.h b/include/linux/vfio.h
index 300d49b..86ef2da 100644
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -347,7 +347,7 @@ struct vfio_irq_set {
#define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */
__u32 index;
__s32 start;
- __s32 count;
+ __u32 count;
__u8 data[];
};
#define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
