All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	Timur Tabi <timur@freescale.com>
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
	Mihai Caraman <mihai.caraman@freescale.com>,
	Kumar Gala <galak@kernel.crashing.org>
Subject: [PATCH 2/2] fsl_hypervisor: prevent integer overflow in ioctl
Date: Tue, 18 Dec 2018 11:21:29 +0300	[thread overview]
Message-ID: <20181218082129.GE32567@kadam> (raw)
In-Reply-To: <20181218082003.GD32567@kadam>

The "param.count" value is a u64 thatcomes from the user.  The code
later in the function assumes that param.count is at least one and if
it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.

Also the addition can have an integer overflow which would lead us to
allocate a smaller "pages" array than required.  I can't immediately
tell what the possible run times implications are, but it's safest to
prevent the overflow.

Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/virt/fsl_hypervisor.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
index 7b7f8e9a2801..1bbd910d4ddb 100644
--- a/drivers/virt/fsl_hypervisor.c
+++ b/drivers/virt/fsl_hypervisor.c
@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
 	 * hypervisor.
 	 */
 	lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
+	if (param.count == 0 ||
+	    param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
+		return -EINVAL;
 	num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
 
 	/* Allocate the buffers we need */
-- 
2.17.1


WARNING: multiple messages have this Message-ID
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	Timur Tabi <timur@freescale.com>
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
	Mihai Caraman <mihai.caraman@freescale.com>,
	Kumar Gala <galak@kernel.crashing.org>
Subject: [PATCH 2/2] fsl_hypervisor: prevent integer overflow in ioctl
Date: Tue, 18 Dec 2018 08:21:29 +0000	[thread overview]
Message-ID: <20181218082129.GE32567@kadam> (raw)
In-Reply-To: <20181218082003.GD32567@kadam>

The "param.count" value is a u64 thatcomes from the user.  The code
later in the function assumes that param.count is at least one and if
it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.

Also the addition can have an integer overflow which would lead us to
allocate a smaller "pages" array than required.  I can't immediately
tell what the possible run times implications are, but it's safest to
prevent the overflow.

Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/virt/fsl_hypervisor.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
index 7b7f8e9a2801..1bbd910d4ddb 100644
--- a/drivers/virt/fsl_hypervisor.c
+++ b/drivers/virt/fsl_hypervisor.c
@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
 	 * hypervisor.
 	 */
 	lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
+	if (param.count = 0 ||
+	    param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
+		return -EINVAL;
 	num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
 
 	/* Allocate the buffers we need */
-- 
2.17.1

  reply	other threads:[~2018-12-18  8:21 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-18  8:20 [PATCH 1/2] fsl_hypervisor: dereferencing error pointers " Dan Carpenter
2018-12-18  8:20 ` Dan Carpenter
2018-12-18  8:21 ` Dan Carpenter [this message]
2018-12-18  8:21   ` [PATCH 2/2] fsl_hypervisor: prevent integer overflow " Dan Carpenter
2019-04-04 10:13 ` [PATCH 1/2] fsl_hypervisor: dereferencing error pointers " Dan Carpenter
2019-04-04 10:13   ` Dan Carpenter
2019-04-04 19:10 ` Andrew Morton
2019-04-04 19:10   ` Andrew Morton
2019-04-04 19:14   ` Dan Carpenter
2019-04-04 19:14     ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181218082129.GE32567@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=galak@kernel.crashing.org \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mihai.caraman@freescale.com \
    --cc=timur@freescale.com \
    --subject='Re: [PATCH 2/2] fsl_hypervisor: prevent integer overflow in ioctl' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.