From: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@epam.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Andres Lagar-Cavilla <andreslc@gridcentric.ca>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
David Vrabel <david.vrabel@citrix.com>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"kernel-janitors@vger.kernel.org"
<kernel-janitors@vger.kernel.org>,
Juergen Gross <jgross@suse.com>
Subject: Re: [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems
Date: Fri, 15 Jul 2022 08:56:30 +0000 [thread overview]
Message-ID: <fa5e41eb-7f10-56d5-77db-e214535addf4@epam.com> (raw)
In-Reply-To: <YtEjVdG+pp9DGz++@kili>
On 15.07.22 11:20, Dan Carpenter wrote:
Hello Dan
> The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
> on 32 bit systems. Probably no one really uses this software on 32 bit
> systems, but it's still worth fixing the bug if only to make the static
> checker happy.
>
> Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/xen/privcmd.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> index ad17166b0ef6..1e59b76c618e 100644
> --- a/drivers/xen/privcmd.c
> +++ b/drivers/xen/privcmd.c
> @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
> if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
> return -EFAULT;
> /* Returns per-frame error in m.arr. */
> + if (m.num > SIZE_MAX / sizeof(*m.arr))
> + return -EINVAL;
> m.err = NULL;
> if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
> return -EFAULT;
> @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
> if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
> return -EFAULT;
> /* Returns per-frame error code in m.err. */
> + if (m.num > SIZE_MAX / sizeof(*m.arr))
Looks like here we need to check against sizeof(*m.err) which is used in
the multiplication below.
> + return -EINVAL;
> if (!access_ok(m.err, m.num * (sizeof(*m.err))))
> return -EFAULT;
> break;
--
Regards,
Oleksandr Tyshchenko
next prev parent reply other threads:[~2022-07-15 10:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 8:20 [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems Dan Carpenter
2022-07-15 8:56 ` Oleksandr Tyshchenko [this message]
2022-07-16 10:12 ` Dan Carpenter
2022-07-19 18:57 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa5e41eb-7f10-56d5-77db-e214535addf4@epam.com \
--to=oleksandr_tyshchenko@epam.com \
--cc=andreslc@gridcentric.ca \
--cc=dan.carpenter@oracle.com \
--cc=david.vrabel@citrix.com \
--cc=jgross@suse.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.