From: Jason Wang <jasowang@redhat.com>
To: Xie Yongji <xieyongji@bytedance.com>,
mst@redhat.com, dan.carpenter@oracle.com
Cc: virtualization@lists.linux-foundation.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] vhost-vdpa: Fix integer overflow in vhost_vdpa_process_iotlb_update()
Date: Mon, 19 Jul 2021 11:30:09 +0800 [thread overview]
Message-ID: <b6c93e88-0ba2-d07e-2597-e6935ab8de18@redhat.com> (raw)
In-Reply-To: <20210716102239.96-1-xieyongji@bytedance.com>
在 2021/7/16 下午6:22, Xie Yongji 写道:
> The "msg->iova + msg->size" addition can have an integer overflow
> if the iotlb message is from a malicious user space application.
> So let's fix it.
>
> Fixes: 1b48dc03e575 ("vhost: vdpa: report iova range")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
> ---
> drivers/vhost/vdpa.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 210ab35a7ebf..8e3c8790d493 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -615,6 +615,7 @@ static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,
> int ret = 0;
>
> if (msg->iova < v->range.first ||
> + msg->iova - 1 > U64_MAX - msg->size ||
> msg->iova + msg->size - 1 > v->range.last)
> return -EINVAL;
>
WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com>
To: Xie Yongji <xieyongji@bytedance.com>,
mst@redhat.com, dan.carpenter@oracle.com
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH 1/2] vhost-vdpa: Fix integer overflow in vhost_vdpa_process_iotlb_update()
Date: Mon, 19 Jul 2021 11:30:09 +0800 [thread overview]
Message-ID: <b6c93e88-0ba2-d07e-2597-e6935ab8de18@redhat.com> (raw)
In-Reply-To: <20210716102239.96-1-xieyongji@bytedance.com>
在 2021/7/16 下午6:22, Xie Yongji 写道:
> The "msg->iova + msg->size" addition can have an integer overflow
> if the iotlb message is from a malicious user space application.
> So let's fix it.
>
> Fixes: 1b48dc03e575 ("vhost: vdpa: report iova range")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
> ---
> drivers/vhost/vdpa.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 210ab35a7ebf..8e3c8790d493 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -615,6 +615,7 @@ static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,
> int ret = 0;
>
> if (msg->iova < v->range.first ||
> + msg->iova - 1 > U64_MAX - msg->size ||
> msg->iova + msg->size - 1 > v->range.last)
> return -EINVAL;
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-07-19 3:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-16 10:22 [PATCH 1/2] vhost-vdpa: Fix integer overflow in vhost_vdpa_process_iotlb_update() Xie Yongji
2021-07-16 10:22 ` [PATCH 2/2] vhost: Fix the calculation in vhost_overflow() Xie Yongji
2021-07-19 3:30 ` Jason Wang
2021-07-19 3:30 ` Jason Wang
2021-07-19 3:30 ` Jason Wang [this message]
2021-07-19 3:30 ` [PATCH 1/2] vhost-vdpa: Fix integer overflow in vhost_vdpa_process_iotlb_update() Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6c93e88-0ba2-d07e-2597-e6935ab8de18@redhat.com \
--to=jasowang@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.