From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755864AbcARQrV (ORCPT ); Mon, 18 Jan 2016 11:47:21 -0500 Received: from smtp02.citrix.com ([66.165.176.63]:29540 "EHLO SMTP02.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755742AbcARQrT (ORCPT ); Mon, 18 Jan 2016 11:47:19 -0500 X-IronPort-AV: E=Sophos;i="5.22,313,1449532800"; d="scan'208";a="332194821" Message-ID: <569D1713.3060306@citrix.com> Date: Mon, 18 Jan 2016 16:47:15 +0000 From: David Vrabel User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: David Vrabel , Insu Yun , , , , , CC: , , , Subject: Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply References: <1453134547-13875-1-git-send-email-wuninsu@gmail.com> <569D14E9.2050300@citrix.com> In-Reply-To: <569D14E9.2050300@citrix.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-DLP: MIA2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 18/01/16 16:38, David Vrabel wrote: > On 18/01/16 16:29, Insu Yun wrote: >> When len is greater than UINT_MAX - sizeof(*rb), in next allocation, >> it can overflow integer range and allocates small size of heap. >> After that, memcpy will overflow the allocated heap. >> Therefore, it needs to check the size of given length. > [...] >> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c >> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c >> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len) >> { >> struct read_buffer *rb; >> >> - if (len == 0) >> + if (len == 0 || len >= UINT_MAX - sizeof(*rb)) > ^^^^^^^^^^^^^^^^^^^^^^ > Please check > > len > XENSTORE_PAYLOAD_MAX > > instead. And return -EINVAL in this case (not zero). David