Re: [patch] vfio-pci: integer overflow in vfio_pci_ioctl()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 26, 2013 at 04:13:58PM +0300, Dan Carpenter wrote:
> The worry here is that a large value of hdr.start would cause a
> read before the start of the array and a crash in
> vfio_msi_set_vector_signal().
> 
> The check in vfio_msi_set_block() is not enough:
> 
> 	if (start + count > vdev->num_ctx)
> 		return -EINVAL;
> 
> A large value of "start" would lead to an integer overflow.
> 
> The check in vfio_msi_set_vector_signal() doesn't work either:
> 
> 	if (vector >= vdev->num_ctx)
> 		return -EINVAL;
> 
> Here "vector" is "count" casted to a signed int so it would be negative
                    ^^^^^
I meant "start" not "count".

> and thus smaller than "vdev->num_ctx" which is also a signed int.
> 

Gar...  I hate this patch already.  I really should make
vdev->num_ctx an unsigned int.  I'll send that in a v2 along with
whatever other suggestions people send.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux