From: Dan Carpenter <dan.carpenter@oracle.com> To: "Michael S. Tsirkin" <mst@redhat.com>, Xie Yongji <xieyongji@bytedance.com> Cc: Jason Wang <jasowang@redhat.com>, Eli Cohen <elic@nvidia.com>, Parav Pandit <parav@nvidia.com>, virtualization@lists.linux-foundation.org, kernel-janitors@vger.kernel.org Subject: [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Date: Wed, 8 Dec 2021 13:33:07 +0300 [thread overview] Message-ID: <20211208103307.GA3778@kili> (raw) The "config.offset" comes from the user. There needs to a check to prevent it being out of bounds. The "config.offset" and "dev->config_size" variables are both type u32. So if the offset if out of bounds then the "dev->config_size - config.offset" subtraction results in a very high u32 value. The out of bounds offset can result in memory corruption. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: fix reversed if statement v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie. v4: split the vhost_vdpa_config_validate() change into a separate path drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index c9204c62f339..1a206f95d73a 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd, break; ret = -EINVAL; - if (config.length == 0 || + if (config.offset > dev->config_size || + config.length == 0 || config.length > dev->config_size - config.offset) break; -- 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com> To: "Michael S. Tsirkin" <mst@redhat.com>, Xie Yongji <xieyongji@bytedance.com> Cc: kernel-janitors@vger.kernel.org, Eli Cohen <elic@nvidia.com>, virtualization@lists.linux-foundation.org Subject: [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Date: Wed, 8 Dec 2021 13:33:07 +0300 [thread overview] Message-ID: <20211208103307.GA3778@kili> (raw) The "config.offset" comes from the user. There needs to a check to prevent it being out of bounds. The "config.offset" and "dev->config_size" variables are both type u32. So if the offset if out of bounds then the "dev->config_size - config.offset" subtraction results in a very high u32 value. The out of bounds offset can result in memory corruption. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: fix reversed if statement v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie. v4: split the vhost_vdpa_config_validate() change into a separate path drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index c9204c62f339..1a206f95d73a 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd, break; ret = -EINVAL; - if (config.length == 0 || + if (config.offset > dev->config_size || + config.length == 0 || config.length > dev->config_size - config.offset) break; -- 2.20.1 _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next reply other threads:[~2021-12-08 10:33 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-12-08 10:33 Dan Carpenter [this message] 2021-12-08 10:33 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Dan Carpenter 2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter 2021-12-08 10:33 ` Dan Carpenter 2021-12-09 2:12 ` Jason Wang 2021-12-09 2:12 ` Jason Wang 2021-12-09 2:35 ` Yongji Xie 2021-12-09 2:12 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Jason Wang 2021-12-09 2:12 ` Jason Wang 2021-12-09 2:34 ` Yongji Xie
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20211208103307.GA3778@kili \ --to=dan.carpenter@oracle.com \ --cc=elic@nvidia.com \ --cc=jasowang@redhat.com \ --cc=kernel-janitors@vger.kernel.org \ --cc=mst@redhat.com \ --cc=parav@nvidia.com \ --cc=virtualization@lists.linux-foundation.org \ --cc=xieyongji@bytedance.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.