public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/i915/gvt: Prevent integer overflow in intel_vgpu_emulate_cfg_write()
@ 2021-11-24 14:49 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2021-11-24 14:49 UTC (permalink / raw)
  To: Zhenyu Wang, Zhi Wang
  Cc: Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, Tvrtko Ursulin,
	David Airlie, Daniel Vetter, intel-gvt-dev, intel-gfx, dri-devel,
	kernel-janitors

The "offset" is a u32 that comes from the user.  The bug is that the
"offset + bytes" operation can have an integer overflow problem which
leads to an out of bounds access.

Fixes: 4d60c5fd3f87 ("drm/i915/gvt: vGPU PCI configuration space virtualization")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/gpu/drm/i915/gvt/cfg_space.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/i915/gvt/cfg_space.c b/drivers/gpu/drm/i915/gvt/cfg_space.c
index b490e3db2e38..8a54dd3de91c 100644
--- a/drivers/gpu/drm/i915/gvt/cfg_space.c
+++ b/drivers/gpu/drm/i915/gvt/cfg_space.c
@@ -316,6 +316,10 @@ int intel_vgpu_emulate_cfg_write(struct intel_vgpu *vgpu, unsigned int offset,
 	if (drm_WARN_ON(&i915->drm, bytes > 4))
 		return -EINVAL;
 
+	if (drm_WARN_ON(&i915->drm,
+			offset > vgpu->gvt->device_info.cfg_space_size))
+		return -EINVAL;
+
 	if (drm_WARN_ON(&i915->drm,
 			offset + bytes > vgpu->gvt->device_info.cfg_space_size))
 		return -EINVAL;
-- 
2.20.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-11-24 14:49 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-24 14:49 [PATCH] drm/i915/gvt: Prevent integer overflow in intel_vgpu_emulate_cfg_write() Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox