Re: [PATCH] vfio/pci: Fix unsigned comparison overflow

[Eric Auger <eric.auger@linaro.org>]

Hi Alex,

Reviewed-by: Eric Auger <eric.auger@linaro.org>
Tested-by: Eric Auger <eric.auger@linaro.org>

Best Regards

Eric

On 02/02/2016 12:54 AM, Alex Williamson wrote:
> Signed versus unsigned comparisons are implicitly cast to unsigned,
> which result in a couple possible overflows.  For instance (start +
> count) might overflow and wrap, getting through our validation test.
> Also when unwinding setup, -1 being compared as unsigned doesn't
> produce the intended stop condition.  Fix both of these and also fix
> vfio_msi_set_vector_signal() to validate parameters before using the
> vector index, though none of the callers should pass bad indexes
> anymore.
> 
> Reported-by: Eric Auger <eric.auger@linaro.org>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
>  drivers/vfio/pci/vfio_pci_intrs.c |   17 +++++++++--------
>  1 file changed, 9 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
> index 3b3ba15..e9ea3fe 100644
> --- a/drivers/vfio/pci/vfio_pci_intrs.c
> +++ b/drivers/vfio/pci/vfio_pci_intrs.c
> @@ -309,14 +309,14 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
>  				      int vector, int fd, bool msix)
>  {
>  	struct pci_dev *pdev = vdev->pdev;
> -	int irq = msix ? vdev->msix[vector].vector : pdev->irq + vector;
> -	char *name = msix ? "vfio-msix" : "vfio-msi";
>  	struct eventfd_ctx *trigger;
> -	int ret;
> +	int irq, ret;
>  
> -	if (vector >= vdev->num_ctx)
> +	if (vector < 0 || vector >= vdev->num_ctx)
>  		return -EINVAL;
>  
> +	irq = msix ? vdev->msix[vector].vector : pdev->irq + vector;
> +
>  	if (vdev->ctx[vector].trigger) {
>  		free_irq(irq, vdev->ctx[vector].trigger);
>  		irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
> @@ -328,8 +328,9 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
>  	if (fd < 0)
>  		return 0;
>  
> -	vdev->ctx[vector].name = kasprintf(GFP_KERNEL, "%s[%d](%s)",
> -					   name, vector, pci_name(pdev));
> +	vdev->ctx[vector].name = kasprintf(GFP_KERNEL, "vfio-msi%s[%d](%s)",
> +					   msix ? "x" : "", vector,
> +					   pci_name(pdev));
>  	if (!vdev->ctx[vector].name)
>  		return -ENOMEM;
>  
> @@ -379,7 +380,7 @@ static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start,
>  {
>  	int i, j, ret = 0;
>  
> -	if (start + count > vdev->num_ctx)
> +	if (start >= vdev->num_ctx || start + count > vdev->num_ctx)
>  		return -EINVAL;
>  
>  	for (i = 0, j = start; i < count && !ret; i++, j++) {
> @@ -388,7 +389,7 @@ static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start,
>  	}
>  
>  	if (ret) {
> -		for (--j; j >= start; j--)
> +		for (--j; j >= (int)start; j--)
>  			vfio_msi_set_vector_signal(vdev, j, -1, msix);
>  	}
>  
>