[patch] vfio-pci: integer overflow in vfio_pci_ioctl()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The worry here is that a large value of hdr.start would cause a
read before the start of the array and a crash in
vfio_msi_set_vector_signal().

The check in vfio_msi_set_block() is not enough:

	if (start + count > vdev->num_ctx)
		return -EINVAL;

A large value of "start" would lead to an integer overflow.

The check in vfio_msi_set_vector_signal() doesn't work either:

	if (vector >= vdev->num_ctx)
		return -EINVAL;

Here "vector" is "count" casted to a signed int so it would be negative
and thus smaller than "vdev->num_ctx" which is also a signed int.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Static analysis stuff.  Untested.

This patch is not beautiful.  There is probably a better limit to use if
I knew the code.

diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index acfcb1a..de54f69 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -371,6 +371,9 @@ static long vfio_pci_ioctl(void *device_data,
 			    hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
 				return -EINVAL;
 
+			if (hdr.start > INT_MAX - hdr.count)
+				return -EINVAL;
+
 			data = memdup_user((void __user *)(arg + minsz),
 					   hdr.count * size);
 			if (IS_ERR(data))
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux