From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch 2/3] vfio: make count unsigned to prevent integer underflow
Date: Thu, 28 Jun 2012 09:44:58 +0300 [thread overview]
Message-ID: <20120628064458.GB11107@elgon.mountain> (raw)
In-Reply-To: <1340686552.1207.128.camel@bling.home>
In vfio_pci_ioctl() there is a potential integer underflow where we
might allocate less data than intended. We check that hdr.count is not
too large, but we don't check whether it is negative:
drivers/vfio/pci/vfio_pci.c
312 if (hdr.argsz - minsz < hdr.count * size ||
313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
314 return -EINVAL;
315
316 data = kmalloc(hdr.count * size, GFP_KERNEL);
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/include/linux/vfio.h b/include/linux/vfio.h
index 300d49b..86ef2da 100644
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -347,7 +347,7 @@ struct vfio_irq_set {
#define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */
__u32 index;
__s32 start;
- __s32 count;
+ __u32 count;
__u8 data[];
};
#define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch 2/3] vfio: make count unsigned to prevent integer underflow
Date: Thu, 28 Jun 2012 06:44:58 +0000 [thread overview]
Message-ID: <20120628064458.GB11107@elgon.mountain> (raw)
In-Reply-To: <1340686552.1207.128.camel@bling.home>
In vfio_pci_ioctl() there is a potential integer underflow where we
might allocate less data than intended. We check that hdr.count is not
too large, but we don't check whether it is negative:
drivers/vfio/pci/vfio_pci.c
312 if (hdr.argsz - minsz < hdr.count * size ||
313 hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
314 return -EINVAL;
315
316 data = kmalloc(hdr.count * size, GFP_KERNEL);
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/include/linux/vfio.h b/include/linux/vfio.h
index 300d49b..86ef2da 100644
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -347,7 +347,7 @@ struct vfio_irq_set {
#define VFIO_IRQ_SET_ACTION_TRIGGER (1 << 5) /* Trigger interrupt */
__u32 index;
__s32 start;
- __s32 count;
+ __u32 count;
__u8 data[];
};
#define VFIO_DEVICE_SET_IRQS _IO(VFIO_TYPE, VFIO_BASE + 10)
next prev parent reply other threads:[~2012-06-28 6:45 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-26 4:55 Request VFIO inclusion in linux-next Alex Williamson
2012-06-26 4:55 ` Alex Williamson
2012-06-26 21:17 ` Benjamin Herrenschmidt
2012-06-26 21:17 ` Benjamin Herrenschmidt
2012-06-26 23:50 ` Stephen Rothwell
2012-06-27 12:37 ` Dan Carpenter
2012-06-27 12:37 ` Dan Carpenter
2012-06-27 19:23 ` Alex Williamson
2012-06-27 19:23 ` Alex Williamson
2012-06-28 6:44 ` Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter
2012-07-02 3:41 ` Alexey Kardashevskiy
2012-07-02 3:41 ` [Qemu-devel] " Alexey Kardashevskiy
2012-07-02 4:14 ` Alex Williamson
2012-07-02 4:14 ` [Qemu-devel] " Alex Williamson
2012-07-02 4:14 ` Alex Williamson
2012-06-28 6:44 ` [patch 1/3] vfio: signedness bug in vfio_config_do_rw() Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter
2012-06-28 7:15 ` walter harms
2012-06-28 8:07 ` [patch 1/3 v2] " Dan Carpenter
2012-06-28 8:07 ` Dan Carpenter
2012-06-28 22:24 ` Alex Williamson
2012-06-28 22:24 ` Alex Williamson
2012-06-28 8:05 ` [patch 1/3] " Dan Carpenter
2012-06-28 6:44 ` Dan Carpenter [this message]
2012-06-28 6:44 ` [patch 2/3] vfio: make count unsigned to prevent integer underflow Dan Carpenter
2012-06-28 22:24 ` Alex Williamson
2012-06-28 22:24 ` Alex Williamson
2012-06-28 6:45 ` [patch 3/3] vfio: return -EFAULT on failure Dan Carpenter
2012-06-28 6:45 ` Dan Carpenter
2012-06-28 22:25 ` Alex Williamson
2012-06-28 22:25 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120628064458.GB11107@elgon.mountain \
--to=dan.carpenter@oracle.com \
--cc=alex.williamson@redhat.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.