Re: [PATCH v2] vduse: Validate vq_num in vduse_validate_config()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 28, 2022 at 12:36:26AM -0800, Harshit Mogalapalli wrote:
Add a limit to 'config->vq_num' which is user controlled data which
comes from an vduse_ioctl to prevent large memory allocations.

This is found using static analysis with smatch.

Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
---
v1->v2: Change title of the commit and description, add a limit to
	vq_num.

Note: I think here 0xffff is the max size of vring =  no: of vqueues.
Only compile and boot tested.
---
drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 35dceee3ed56..31017ebc4d7c 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -1440,6 +1440,9 @@ static bool vduse_validate_config(struct vduse_dev_config *config)
	if (config->config_size > PAGE_SIZE)
		return false;

+	if (config->vq_num > 0xffff)

What about using U16_MAX here?

Thanks,
Stefano

+		return false;
+
	if (!device_is_allowed(config->device_id))
		return false;

--
2.38.1


_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/virtualization



[Index of Archives]     [KVM Development]     [Libvirt Development]     [Libvirt Users]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux