* [patch] vfio-pci: integer overflow in vfio_pci_ioctl() @ 2013-03-26 13:13 Dan Carpenter 2013-03-26 13:39 ` Dan Carpenter 2013-03-26 15:03 ` Alex Williamson 0 siblings, 2 replies; 4+ messages in thread From: Dan Carpenter @ 2013-03-26 13:13 UTC (permalink / raw) To: Alex Williamson; +Cc: Jiang Liu, Vijay Mohan Pandarathil, kvm, kernel-janitors The worry here is that a large value of hdr.start would cause a read before the start of the array and a crash in vfio_msi_set_vector_signal(). The check in vfio_msi_set_block() is not enough: if (start + count > vdev->num_ctx) return -EINVAL; A large value of "start" would lead to an integer overflow. The check in vfio_msi_set_vector_signal() doesn't work either: if (vector >= vdev->num_ctx) return -EINVAL; Here "vector" is "count" casted to a signed int so it would be negative and thus smaller than "vdev->num_ctx" which is also a signed int. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Static analysis stuff. Untested. This patch is not beautiful. There is probably a better limit to use if I knew the code. diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index acfcb1a..de54f69 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -371,6 +371,9 @@ static long vfio_pci_ioctl(void *device_data, hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) return -EINVAL; + if (hdr.start > INT_MAX - hdr.count) + return -EINVAL; + data = memdup_user((void __user *)(arg + minsz), hdr.count * size); if (IS_ERR(data)) ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] vfio-pci: integer overflow in vfio_pci_ioctl() 2013-03-26 13:13 [patch] vfio-pci: integer overflow in vfio_pci_ioctl() Dan Carpenter @ 2013-03-26 13:39 ` Dan Carpenter 2013-03-26 15:03 ` Alex Williamson 1 sibling, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2013-03-26 13:39 UTC (permalink / raw) To: Alex Williamson; +Cc: Jiang Liu, Vijay Mohan Pandarathil, kvm, kernel-janitors On Tue, Mar 26, 2013 at 04:13:58PM +0300, Dan Carpenter wrote: > The worry here is that a large value of hdr.start would cause a > read before the start of the array and a crash in > vfio_msi_set_vector_signal(). > > The check in vfio_msi_set_block() is not enough: > > if (start + count > vdev->num_ctx) > return -EINVAL; > > A large value of "start" would lead to an integer overflow. > > The check in vfio_msi_set_vector_signal() doesn't work either: > > if (vector >= vdev->num_ctx) > return -EINVAL; > > Here "vector" is "count" casted to a signed int so it would be negative ^^^^^ I meant "start" not "count". > and thus smaller than "vdev->num_ctx" which is also a signed int. > Gar... I hate this patch already. I really should make vdev->num_ctx an unsigned int. I'll send that in a v2 along with whatever other suggestions people send. regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] vfio-pci: integer overflow in vfio_pci_ioctl() 2013-03-26 13:13 [patch] vfio-pci: integer overflow in vfio_pci_ioctl() Dan Carpenter 2013-03-26 13:39 ` Dan Carpenter @ 2013-03-26 15:03 ` Alex Williamson 2013-03-26 15:13 ` Dan Carpenter 1 sibling, 1 reply; 4+ messages in thread From: Alex Williamson @ 2013-03-26 15:03 UTC (permalink / raw) To: Dan Carpenter; +Cc: Jiang Liu, Vijay Mohan Pandarathil, kvm, kernel-janitors On Tue, 2013-03-26 at 16:13 +0300, Dan Carpenter wrote: > The worry here is that a large value of hdr.start would cause a > read before the start of the array and a crash in > vfio_msi_set_vector_signal(). > > The check in vfio_msi_set_block() is not enough: > > if (start + count > vdev->num_ctx) > return -EINVAL; > > A large value of "start" would lead to an integer overflow. > > The check in vfio_msi_set_vector_signal() doesn't work either: > > if (vector >= vdev->num_ctx) > return -EINVAL; > > Here "vector" is "count" casted to a signed int so it would be negative > and thus smaller than "vdev->num_ctx" which is also a signed int. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Static analysis stuff. Untested. > > This patch is not beautiful. There is probably a better limit to use if > I knew the code. > > diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c > index acfcb1a..de54f69 100644 > --- a/drivers/vfio/pci/vfio_pci.c > +++ b/drivers/vfio/pci/vfio_pci.c > @@ -371,6 +371,9 @@ static long vfio_pci_ioctl(void *device_data, > hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) > return -EINVAL; > > + if (hdr.start > INT_MAX - hdr.count) > + return -EINVAL; > + > data = memdup_user((void __user *)(arg + minsz), > hdr.count * size); > if (IS_ERR(data)) Thanks Dan. Is this more like what you're looking for? commit 16deadb9d424c0af2162a5be2935fbc4e0f09b98 Author: Alex Williamson <alex.williamson@redhat.com> Date: Tue Mar 26 08:59:22 2013 -0600 vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index acfcb1a..866bde1 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -359,6 +359,7 @@ static long vfio_pci_ioctl(void *device_data, if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) { size_t size; + int max = vfio_pci_get_irq_count(vdev, hdr.index); if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL) size = sizeof(uint8_t); @@ -368,7 +369,7 @@ static long vfio_pci_ioctl(void *device_data, return -EINVAL; if (hdr.argsz - minsz < hdr.count * size || - hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) + hdr.start >= max || hdr.start + hdr.count > max) return -EINVAL; data = memdup_user((void __user *)(arg + minsz), ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] vfio-pci: integer overflow in vfio_pci_ioctl() 2013-03-26 15:03 ` Alex Williamson @ 2013-03-26 15:13 ` Dan Carpenter 0 siblings, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2013-03-26 15:13 UTC (permalink / raw) To: Alex Williamson; +Cc: Jiang Liu, Vijay Mohan Pandarathil, kvm, kernel-janitors On Tue, Mar 26, 2013 at 09:03:02AM -0600, Alex Williamson wrote: > Thanks Dan. Is this more like what you're looking for? > Yes. That looks nice. :) regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-03-26 15:14 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-03-26 13:13 [patch] vfio-pci: integer overflow in vfio_pci_ioctl() Dan Carpenter 2013-03-26 13:39 ` Dan Carpenter 2013-03-26 15:03 ` Alex Williamson 2013-03-26 15:13 ` Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox