Hi Matt and Alexandre, Greetings, I'm a first-year PhD student who is interested in the usage of UBSan in linux kernel. With some experiments, I found that in drivers/rapidio/devices/rio_mport_cdev.c function rio_mport_maint_rd and rio_mport_maint_wr, there are respectively 2 similar integer overflows that might cause unexpected behavior. More specifically, after the execution of copy_from_user in these 2 functions, the main_io structures are filled with data from user space, the two addition at line 273 and line 318 in these two function which both are: (maint_io.length + maint_io.offset) > RIO_MAINT_SPACE_SZ could overflow because maint_io.length and maint_io.offset are both 32-bit user-provided unsigned integers. And this check can be bypassed due to this overflow. As a consequence, the parameters passed to vmalloc() or other following callee functions e.g. rio_mport_write_config_32 can be manipulated directly by users. Due to the lack of knowledge of the interaction between this module and the user space, I'm not able to assess if this is security-related problem. Judging from the appearance, a malicious user can possibly allocate big chunk of kernel memory and cause performance issue. I'd be more than happy to hear you valuable opinions on whether this is worth fixing or not, if not, I'd be very interested to know why, this will help me understand the kernel and UBSan a lot! Looking forward to your valuable response! Changming Liu
