linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] vfio/type1: Fix unmap overflow off-by-one
@ 2019-01-08 16:40 Alex Williamson
  2019-01-08 18:53 ` Dan Carpenter
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alex Williamson @ 2019-01-08 16:40 UTC (permalink / raw)
  To: alex.williamson; +Cc: kvm, linux-kernel, dan.carpenter, peterx, cohuck

The below referenced commit adds a test for integer overflow, but in
doing so prevents the unmap ioctl from ever including the last page of
the address space.  Subtract one to compare to the last address of the
unmap to avoid the overflow and wrap-around.

Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Pei Zhang <pezhang@redhat.com>
Debugged-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
 drivers/vfio/vfio_iommu_type1.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 7651cfb14836..73652e21efec 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 		return -EINVAL;
 	if (!unmap->size || unmap->size & mask)
 		return -EINVAL;
-	if (unmap->iova + unmap->size < unmap->iova ||
+	if (unmap->iova + unmap->size - 1 < unmap->iova ||
 	    unmap->size > SIZE_MAX)
 		return -EINVAL;
 


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] vfio/type1: Fix unmap overflow off-by-one
  2019-01-08 16:40 [PATCH] vfio/type1: Fix unmap overflow off-by-one Alex Williamson
@ 2019-01-08 18:53 ` Dan Carpenter
  2019-01-09  3:11 ` Peter Xu
  2019-01-09  8:58 ` Cornelia Huck
  2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2019-01-08 18:53 UTC (permalink / raw)
  To: Alex Williamson; +Cc: kvm, linux-kernel, peterx, cohuck

Yeah, sorry about that.

Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] vfio/type1: Fix unmap overflow off-by-one
  2019-01-08 16:40 [PATCH] vfio/type1: Fix unmap overflow off-by-one Alex Williamson
  2019-01-08 18:53 ` Dan Carpenter
@ 2019-01-09  3:11 ` Peter Xu
  2019-01-09  8:58 ` Cornelia Huck
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Xu @ 2019-01-09  3:11 UTC (permalink / raw)
  To: Alex Williamson; +Cc: kvm, linux-kernel, dan.carpenter, cohuck

On Tue, Jan 08, 2019 at 09:40:06AM -0700, Alex Williamson wrote:
> The below referenced commit adds a test for integer overflow, but in
> doing so prevents the unmap ioctl from ever including the last page of
> the address space.  Subtract one to compare to the last address of the
> unmap to avoid the overflow and wrap-around.
> 
> Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Reported-by: Pei Zhang <pezhang@redhat.com>
> Debugged-by: Peter Xu <peterx@redhat.com>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

I tested this against the QEMU reboot error and it works.

Reviewed-by: Peter Xu <peterx@redhat.com>
Tested-by: Peter Xu <peterx@redhat.com>

Thanks,

> ---
>  drivers/vfio/vfio_iommu_type1.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 7651cfb14836..73652e21efec 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
>  		return -EINVAL;
>  	if (!unmap->size || unmap->size & mask)
>  		return -EINVAL;
> -	if (unmap->iova + unmap->size < unmap->iova ||
> +	if (unmap->iova + unmap->size - 1 < unmap->iova ||
>  	    unmap->size > SIZE_MAX)
>  		return -EINVAL;
>  
> 

-- 
Peter Xu

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] vfio/type1: Fix unmap overflow off-by-one
  2019-01-08 16:40 [PATCH] vfio/type1: Fix unmap overflow off-by-one Alex Williamson
  2019-01-08 18:53 ` Dan Carpenter
  2019-01-09  3:11 ` Peter Xu
@ 2019-01-09  8:58 ` Cornelia Huck
  2 siblings, 0 replies; 4+ messages in thread
From: Cornelia Huck @ 2019-01-09  8:58 UTC (permalink / raw)
  To: Alex Williamson; +Cc: kvm, linux-kernel, dan.carpenter, peterx

On Tue, 08 Jan 2019 09:40:06 -0700
Alex Williamson <alex.williamson@redhat.com> wrote:

> The below referenced commit adds a test for integer overflow, but in
> doing so prevents the unmap ioctl from ever including the last page of
> the address space.  Subtract one to compare to the last address of the
> unmap to avoid the overflow and wrap-around.
> 
> Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Reported-by: Pei Zhang <pezhang@redhat.com>
> Debugged-by: Peter Xu <peterx@redhat.com>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
>  drivers/vfio/vfio_iommu_type1.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-09  8:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-08 16:40 [PATCH] vfio/type1: Fix unmap overflow off-by-one Alex Williamson
2019-01-08 18:53 ` Dan Carpenter
2019-01-09  3:11 ` Peter Xu
2019-01-09  8:58 ` Cornelia Huck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).