Re: [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Sat, 16 Jul 2022 13:12:46 +0300

On Fri, Jul 15, 2022 at 08:56:30AM +0000, Oleksandr Tyshchenko wrote:
> 
> On 15.07.22 11:20, Dan Carpenter wrote:
> 
> 
> Hello Dan
> 
> > The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
> > on 32 bit systems.  Probably no one really uses this software on 32 bit
> > systems, but it's still worth fixing the bug if only to make the static
> > checker happy.
> >
> > Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > ---
> >   drivers/xen/privcmd.c | 4 ++++
> >   1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> > index ad17166b0ef6..1e59b76c618e 100644
> > --- a/drivers/xen/privcmd.c
> > +++ b/drivers/xen/privcmd.c
> > @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
> >   		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
> >   			return -EFAULT;
> >   		/* Returns per-frame error in m.arr. */
> > +		if (m.num > SIZE_MAX / sizeof(*m.arr))
> > +			return -EINVAL;
> >   		m.err = NULL;
> >   		if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
> >   			return -EFAULT;
> > @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
> >   		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
> >   			return -EFAULT;
> >   		/* Returns per-frame error code in m.err. */
> > +		if (m.num > SIZE_MAX / sizeof(*m.arr))
> 
> Looks like here we need to check against sizeof(*m.err) which is used in 
> the multiplication below.

Oh, yeah.  Sorry!  Need to redo that.

regards,
dan carpenter