From: Dan Carpenter <dan.carpenter@oracle.com>
To: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@epam.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Andres Lagar-Cavilla <andreslc@gridcentric.ca>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
David Vrabel <david.vrabel@citrix.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"kernel-janitors@vger.kernel.org"
<kernel-janitors@vger.kernel.org>,
Juergen Gross <jgross@suse.com>
Subject: Re: [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems
Date: Sat, 16 Jul 2022 13:12:46 +0300 [thread overview]
Message-ID: <20220716101246.GA2338@kadam> (raw)
In-Reply-To: <fa5e41eb-7f10-56d5-77db-e214535addf4@epam.com>
On Fri, Jul 15, 2022 at 08:56:30AM +0000, Oleksandr Tyshchenko wrote:
>
> On 15.07.22 11:20, Dan Carpenter wrote:
>
>
> Hello Dan
>
> > The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
> > on 32 bit systems. Probably no one really uses this software on 32 bit
> > systems, but it's still worth fixing the bug if only to make the static
> > checker happy.
> >
> > Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > drivers/xen/privcmd.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> > index ad17166b0ef6..1e59b76c618e 100644
> > --- a/drivers/xen/privcmd.c
> > +++ b/drivers/xen/privcmd.c
> > @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
> > if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
> > return -EFAULT;
> > /* Returns per-frame error in m.arr. */
> > + if (m.num > SIZE_MAX / sizeof(*m.arr))
> > + return -EINVAL;
> > m.err = NULL;
> > if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
> > return -EFAULT;
> > @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
> > if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
> > return -EFAULT;
> > /* Returns per-frame error code in m.err. */
> > + if (m.num > SIZE_MAX / sizeof(*m.arr))
>
> Looks like here we need to check against sizeof(*m.err) which is used in
> the multiplication below.
Oh, yeah. Sorry! Need to redo that.
regards,
dan carpenter
next prev parent reply other threads:[~2022-07-16 10:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 8:20 [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems Dan Carpenter
2022-07-15 8:56 ` Oleksandr Tyshchenko
2022-07-16 10:12 ` Dan Carpenter [this message]
2022-07-19 18:57 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220716101246.GA2338@kadam \
--to=dan.carpenter@oracle.com \
--cc=Oleksandr_Tyshchenko@epam.com \
--cc=andreslc@gridcentric.ca \
--cc=david.vrabel@citrix.com \
--cc=jgross@suse.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.