From: Dan Carpenter <dan.carpenter@oracle.com> To: Alex Williamson <alex.williamson@redhat.com> Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch 2/3] vfio: make count unsigned to prevent integer underflow Date: Thu, 28 Jun 2012 09:44:58 +0300 [thread overview] Message-ID: <20120628064458.GB11107@elgon.mountain> (raw) In-Reply-To: <1340686552.1207.128.camel@bling.home> In vfio_pci_ioctl() there is a potential integer underflow where we might allocate less data than intended. We check that hdr.count is not too large, but we don't check whether it is negative: drivers/vfio/pci/vfio_pci.c 312 if (hdr.argsz - minsz < hdr.count * size || 313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) 314 return -EINVAL; 315 316 data = kmalloc(hdr.count * size, GFP_KERNEL); Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/include/linux/vfio.h b/include/linux/vfio.h index 300d49b..86ef2da 100644 --- a/include/linux/vfio.h +++ b/include/linux/vfio.h @@ -347,7 +347,7 @@ struct vfio_irq_set { #define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */ __u32 index; __s32 start; - __s32 count; + __u32 count; __u8 data[]; }; #define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com> To: Alex Williamson <alex.williamson@redhat.com> Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch 2/3] vfio: make count unsigned to prevent integer underflow Date: Thu, 28 Jun 2012 06:44:58 +0000 [thread overview] Message-ID: <20120628064458.GB11107@elgon.mountain> (raw) In-Reply-To: <1340686552.1207.128.camel@bling.home> In vfio_pci_ioctl() there is a potential integer underflow where we might allocate less data than intended. We check that hdr.count is not too large, but we don't check whether it is negative: drivers/vfio/pci/vfio_pci.c 312 if (hdr.argsz - minsz < hdr.count * size || 313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) 314 return -EINVAL; 315 316 data = kmalloc(hdr.count * size, GFP_KERNEL); Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/include/linux/vfio.h b/include/linux/vfio.h index 300d49b..86ef2da 100644 --- a/include/linux/vfio.h +++ b/include/linux/vfio.h @@ -347,7 +347,7 @@ struct vfio_irq_set { #define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */ __u32 index; __s32 start; - __s32 count; + __u32 count; __u8 data[]; }; #define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
next prev parent reply other threads:[~2012-06-28 6:45 UTC|newest] Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-06-26 4:55 Request VFIO inclusion in linux-next Alex Williamson 2012-06-26 4:55 ` Alex Williamson 2012-06-26 21:17 ` Benjamin Herrenschmidt 2012-06-26 21:17 ` Benjamin Herrenschmidt 2012-06-26 23:50 ` Stephen Rothwell 2012-06-27 12:37 ` Dan Carpenter 2012-06-27 12:37 ` Dan Carpenter 2012-06-27 19:23 ` Alex Williamson 2012-06-27 19:23 ` Alex Williamson 2012-06-28 6:44 ` Dan Carpenter 2012-06-28 6:44 ` Dan Carpenter 2012-07-02 3:41 ` Alexey Kardashevskiy 2012-07-02 3:41 ` [Qemu-devel] " Alexey Kardashevskiy 2012-07-02 4:14 ` Alex Williamson 2012-07-02 4:14 ` [Qemu-devel] " Alex Williamson 2012-07-02 4:14 ` Alex Williamson 2012-06-28 6:44 ` [patch 1/3] vfio: signedness bug in vfio_config_do_rw() Dan Carpenter 2012-06-28 6:44 ` Dan Carpenter 2012-06-28 7:15 ` walter harms 2012-06-28 8:07 ` [patch 1/3 v2] " Dan Carpenter 2012-06-28 8:07 ` Dan Carpenter 2012-06-28 22:24 ` Alex Williamson 2012-06-28 22:24 ` Alex Williamson 2012-06-28 8:05 ` [patch 1/3] " Dan Carpenter 2012-06-28 6:44 ` Dan Carpenter [this message] 2012-06-28 6:44 ` [patch 2/3] vfio: make count unsigned to prevent integer underflow Dan Carpenter 2012-06-28 22:24 ` Alex Williamson 2012-06-28 22:24 ` Alex Williamson 2012-06-28 6:45 ` [patch 3/3] vfio: return -EFAULT on failure Dan Carpenter 2012-06-28 6:45 ` Dan Carpenter 2012-06-28 22:25 ` Alex Williamson 2012-06-28 22:25 ` Alex Williamson
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20120628064458.GB11107@elgon.mountain \ --to=dan.carpenter@oracle.com \ --cc=alex.williamson@redhat.com \ --cc=kernel-janitors@vger.kernel.org \ --cc=kvm@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.