The patch titled
Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
has been added to the -mm tree. Its filename is
fsl_hypervisor-prevent-integer-overflow-in-ioctl.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/fsl_hypervisor-prevent-integer-overflow-in-ioctl.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/fsl_hypervisor-prevent-integer-overflow-in-ioctl.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
The "param.count" value is a u64 thatcomes from the user. The code later
in the function assumes that param.count is at least one and if it's not
then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
Also the addition can have an integer overflow which would lead us to
allocate a smaller "pages" array than required. I can't immediately tell
what the possible run times implications are, but it's safest to prevent
the overflow.
Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Timur Tabi <timur@xxxxxxxxxxxxx>
Cc: Mihai Caraman <mihai.caraman@xxxxxxxxxxxxx>
Cc: Kumar Gala <galak@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/virt/fsl_hypervisor.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/virt/fsl_hypervisor.c~fsl_hypervisor-prevent-integer-overflow-in-ioctl
+++ a/drivers/virt/fsl_hypervisor.c
@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
* hypervisor.
*/
lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
+ if (param.count == 0 ||
+ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
+ return -EINVAL;
num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
/* Allocate the buffers we need */
_
Patches currently in -mm which might be from dan.carpenter@xxxxxxxxxx are
fsl_hypervisor-dereferencing-error-pointers-in-ioctl.patch
fsl_hypervisor-prevent-integer-overflow-in-ioctl.patch
