From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932210AbcARQiJ (ORCPT ); Mon, 18 Jan 2016 11:38:09 -0500 Received: from smtp02.citrix.com ([66.165.176.63]:6746 "EHLO SMTP02.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932190AbcARQiF (ORCPT ); Mon, 18 Jan 2016 11:38:05 -0500 X-IronPort-AV: E=Sophos;i="5.22,313,1449532800"; d="scan'208";a="332191708" Message-ID: <569D14E9.2050300@citrix.com> Date: Mon, 18 Jan 2016 16:38:01 +0000 From: David Vrabel User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: Insu Yun , , , , , CC: , , , Subject: Re: [PATCH] xen: fix potential integer overflow in queue_reply References: <1453134547-13875-1-git-send-email-wuninsu@gmail.com> In-Reply-To: <1453134547-13875-1-git-send-email-wuninsu@gmail.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-DLP: MIA2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 18/01/16 16:29, Insu Yun wrote: > When len is greater than UINT_MAX - sizeof(*rb), in next allocation, > it can overflow integer range and allocates small size of heap. > After that, memcpy will overflow the allocated heap. > Therefore, it needs to check the size of given length. [...] > --- a/drivers/xen/xenbus/xenbus_dev_frontend.c > +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c > @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len) > { > struct read_buffer *rb; > > - if (len == 0) > + if (len == 0 || len >= UINT_MAX - sizeof(*rb)) ^^^^^^^^^^^^^^^^^^^^^^ Please check len > XENSTORE_PAYLOAD_MAX instead. David