On 15.07.22 11:20, Dan Carpenter wrote:
Hello Dan
> The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
> on 32 bit systems. Probably no one really uses this software on 32 bit
> systems, but it's still worth fixing the bug if only to make the static
> checker happy.
>
> Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/xen/privcmd.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> index ad17166b0ef6..1e59b76c618e 100644
> --- a/drivers/xen/privcmd.c
> +++ b/drivers/xen/privcmd.c
> @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
> if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
> return -EFAULT;
> /* Returns per-frame error in m.arr. */
> + if (m.num > SIZE_MAX / sizeof(*m.arr))
> + return -EINVAL;
> m.err = NULL;
> if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
> return -EFAULT;
> @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
> if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
> return -EFAULT;
> /* Returns per-frame error code in m.err. */
> + if (m.num > SIZE_MAX / sizeof(*m.arr))
Looks like here we need to check against sizeof(*m.err) which is used in
the multiplication below.
> + return -EINVAL;
> if (!access_ok(m.err, m.num * (sizeof(*m.err))))
> return -EFAULT;
> break;
--
Regards,
Oleksandr Tyshchenko
