From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Michael S. Tsirkin" <mst@redhat.com>,
Xie Yongji <xieyongji@bytedance.com>
Cc: Jason Wang <jasowang@redhat.com>, Eli Cohen <elic@nvidia.com>,
Parav Pandit <parav@nvidia.com>,
virtualization@lists.linux-foundation.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl()
Date: Wed, 8 Dec 2021 13:33:07 +0300 [thread overview]
Message-ID: <20211208103307.GA3778@kili> (raw)
The "config.offset" comes from the user. There needs to a check to
prevent it being out of bounds. The "config.offset" and
"dev->config_size" variables are both type u32. So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value. The out of bounds offset can result
in memory corruption.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix reversed if statement
v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie.
v4: split the vhost_vdpa_config_validate() change into a separate path
drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index c9204c62f339..1a206f95d73a 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
break;
ret = -EINVAL;
- if (config.length == 0 ||
+ if (config.offset > dev->config_size ||
+ config.length == 0 ||
config.length > dev->config_size - config.offset)
break;
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Michael S. Tsirkin" <mst@redhat.com>,
Xie Yongji <xieyongji@bytedance.com>
Cc: kernel-janitors@vger.kernel.org, Eli Cohen <elic@nvidia.com>,
virtualization@lists.linux-foundation.org
Subject: [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl()
Date: Wed, 8 Dec 2021 13:33:07 +0300 [thread overview]
Message-ID: <20211208103307.GA3778@kili> (raw)
The "config.offset" comes from the user. There needs to a check to
prevent it being out of bounds. The "config.offset" and
"dev->config_size" variables are both type u32. So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value. The out of bounds offset can result
in memory corruption.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix reversed if statement
v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie.
v4: split the vhost_vdpa_config_validate() change into a separate path
drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index c9204c62f339..1a206f95d73a 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
break;
ret = -EINVAL;
- if (config.length == 0 ||
+ if (config.offset > dev->config_size ||
+ config.length == 0 ||
config.length > dev->config_size - config.offset)
break;
--
2.20.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next reply other threads:[~2021-12-08 10:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 10:33 Dan Carpenter [this message]
2021-12-08 10:33 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Dan Carpenter
2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter
2021-12-08 10:33 ` Dan Carpenter
2021-12-09 2:12 ` Jason Wang
2021-12-09 2:12 ` Jason Wang
2021-12-09 2:35 ` Yongji Xie
2021-12-09 2:12 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Jason Wang
2021-12-09 2:12 ` Jason Wang
2021-12-09 2:34 ` Yongji Xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211208103307.GA3778@kili \
--to=dan.carpenter@oracle.com \
--cc=elic@nvidia.com \
--cc=jasowang@redhat.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=mst@redhat.com \
--cc=parav@nvidia.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.