From: Alex Williamson <alex.williamson@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/3] vfio: make count unsigned to prevent integer underflow
Date: Thu, 28 Jun 2012 16:24:52 -0600 [thread overview]
Message-ID: <1340922292.3179.58.camel@ul30vt> (raw)
In-Reply-To: <20120628064458.GB11107@elgon.mountain>
On Thu, 2012-06-28 at 09:44 +0300, Dan Carpenter wrote:
> In vfio_pci_ioctl() there is a potential integer underflow where we
> might allocate less data than intended. We check that hdr.count is not
> too large, but we don't check whether it is negative:
>
> drivers/vfio/pci/vfio_pci.c
> 312 if (hdr.argsz - minsz < hdr.count * size ||
> 313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
> 314 return -EINVAL;
> 315
> 316 data = kmalloc(hdr.count * size, GFP_KERNEL);
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/include/linux/vfio.h b/include/linux/vfio.h
> index 300d49b..86ef2da 100644
> --- a/include/linux/vfio.h
> +++ b/include/linux/vfio.h
> @@ -347,7 +347,7 @@ struct vfio_irq_set {
> #define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */
> __u32 index;
> __s32 start;
> - __s32 count;
> + __u32 count;
> __u8 data[];
> };
> #define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
Good find. I've actually trickled this through to change a number of
the function params to unsigned from int. Also in this struct, start
should be unsigned. Thanks for the report!
Alex
WARNING: multiple messages have this Message-ID (diff)
From: Alex Williamson <alex.williamson@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/3] vfio: make count unsigned to prevent integer underflow
Date: Thu, 28 Jun 2012 22:24:52 +0000 [thread overview]
Message-ID: <1340922292.3179.58.camel@ul30vt> (raw)
In-Reply-To: <20120628064458.GB11107@elgon.mountain>
On Thu, 2012-06-28 at 09:44 +0300, Dan Carpenter wrote:
> In vfio_pci_ioctl() there is a potential integer underflow where we
> might allocate less data than intended. We check that hdr.count is not
> too large, but we don't check whether it is negative:
>
> drivers/vfio/pci/vfio_pci.c
> 312 if (hdr.argsz - minsz < hdr.count * size ||
> 313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
> 314 return -EINVAL;
> 315
> 316 data = kmalloc(hdr.count * size, GFP_KERNEL);
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/include/linux/vfio.h b/include/linux/vfio.h
> index 300d49b..86ef2da 100644
> --- a/include/linux/vfio.h
> +++ b/include/linux/vfio.h
> @@ -347,7 +347,7 @@ struct vfio_irq_set {
> #define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */
> __u32 index;
> __s32 start;
> - __s32 count;
> + __u32 count;
> __u8 data[];
> };
> #define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
Good find. I've actually trickled this through to change a number of
the function params to unsigned from int. Also in this struct, start
should be unsigned. Thanks for the report!
Alex
next prev parent reply other threads:[~2012-06-28 22:24 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-26 4:55 Request VFIO inclusion in linux-next Alex Williamson
2012-06-26 4:55 ` Alex Williamson
2012-06-26 21:17 ` Benjamin Herrenschmidt
2012-06-26 21:17 ` Benjamin Herrenschmidt
2012-06-26 23:50 ` Stephen Rothwell
2012-06-27 12:37 ` Dan Carpenter
2012-06-27 12:37 ` Dan Carpenter
2012-06-27 19:23 ` Alex Williamson
2012-06-27 19:23 ` Alex Williamson
2012-06-28 6:44 ` Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter
2012-07-02 3:41 ` Alexey Kardashevskiy
2012-07-02 3:41 ` [Qemu-devel] " Alexey Kardashevskiy
2012-07-02 4:14 ` Alex Williamson
2012-07-02 4:14 ` [Qemu-devel] " Alex Williamson
2012-07-02 4:14 ` Alex Williamson
2012-06-28 6:44 ` [patch 1/3] vfio: signedness bug in vfio_config_do_rw() Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter
2012-06-28 7:15 ` walter harms
2012-06-28 8:07 ` [patch 1/3 v2] " Dan Carpenter
2012-06-28 8:07 ` Dan Carpenter
2012-06-28 22:24 ` Alex Williamson
2012-06-28 22:24 ` Alex Williamson
2012-06-28 8:05 ` [patch 1/3] " Dan Carpenter
2012-06-28 6:44 ` [patch 2/3] vfio: make count unsigned to prevent integer underflow Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter
2012-06-28 22:24 ` Alex Williamson [this message]
2012-06-28 22:24 ` Alex Williamson
2012-06-28 6:45 ` [patch 3/3] vfio: return -EFAULT on failure Dan Carpenter
2012-06-28 6:45 ` Dan Carpenter
2012-06-28 22:25 ` Alex Williamson
2012-06-28 22:25 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1340922292.3179.58.camel@ul30vt \
--to=alex.williamson@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.