From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vlad Tsyrklevich Subject: [PATCH] vfio/pci: Fix integer overflow/heap memory disclosure Date: Tue, 11 Oct 2016 13:02:19 +0200 Message-ID: <1476183739-35210-1-git-send-email-vlad@tsyrklevich.net> Cc: alex.williamson@redhat.com, Vlad Tsyrklevich To: kvm@vger.kernel.org Return-path: Received: from mail-lf0-f65.google.com ([209.85.215.65]:33311 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751375AbcJKLVD (ORCPT ); Tue, 11 Oct 2016 07:21:03 -0400 Received: by mail-lf0-f65.google.com with SMTP id l131so458273lfl.0 for ; Tue, 11 Oct 2016 04:20:31 -0700 (PDT) Sender: kvm-owner@vger.kernel.org List-ID: The VFIO_DEVICE_SET_IRQS and VFIO_DEVICE_GET_PCI_HOT_RESET_INFO ioctls do not sufficiently sanitize user-supplied integers, allowing users to read arbitrary amounts of kernel heap memory or cause a crash. Signed-off-by: Vlad Tsyrklevich --- drivers/vfio/pci/vfio_pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index d624a52..c3fbfb8 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -838,6 +838,7 @@ static long vfio_pci_ioctl(void *device_data, return -EFAULT; if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS || + hdr.count >= (U32_MAX - hdr.start) || hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK | VFIO_IRQ_SET_ACTION_TYPE_MASK)) return -EINVAL; @@ -909,6 +910,9 @@ static long vfio_pci_ioctl(void *device_data, WARN_ON(!fill.max); /* Should always be at least one */ + if (hdr.count > fill.max) + hdr.count = fill.max; + /* * If there's enough space, fill it now, otherwise return * -ENOSPC and the number of devices affected. -- 2.7.0