[PATCH] xen/privcmd: prevent integer overflow on 32 bit systems

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Fri, 15 Jul 2022 11:20:37 +0300

The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
on 32 bit systems.  Probably no one really uses this software on 32 bit
systems, but it's still worth fixing the bug if only to make the static
checker happy.

Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 drivers/xen/privcmd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index ad17166b0ef6..1e59b76c618e 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
 		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
 			return -EFAULT;
 		/* Returns per-frame error in m.arr. */
+		if (m.num > SIZE_MAX / sizeof(*m.arr))
+			return -EINVAL;
 		m.err = NULL;
 		if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
 			return -EFAULT;
@@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
 		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
 			return -EFAULT;
 		/* Returns per-frame error code in m.err. */
+		if (m.num > SIZE_MAX / sizeof(*m.arr))
+			return -EINVAL;
 		if (!access_ok(m.err, m.num * (sizeof(*m.err))))
 			return -EFAULT;
 		break;
-- 
2.35.1







