From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: 2.6.32-KVM-pit_ioport_read() integer buffer overflow hole
Date: Tue, 26 Jan 2010 11:03:57 +0200
Message-ID: <4B5EAFFD.2020706@redhat.com>
References: <628d1651001260059p65dab6d0y86084b181f5273fc@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
	format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: kvm@vger.kernel.org
To: wzt wzt <wzt.wzt@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:15178 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751845Ab0AZJD7 (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 26 Jan 2010 04:03:59 -0500
In-Reply-To: <628d1651001260059p65dab6d0y86084b181f5273fc@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 01/26/2010 10:59 AM, wzt wzt wrote:
> Hi:
>          In kernel 2.6.32 kernel/arch/x86/kvm/i8254.c=EF=BC=8C I foun=
d
> pit_ioport_read maybe have a integer buffer overflow hole:
>
> static int pit_ioport_read(struct kvm_io_device *this,
>                            gpa_t addr, int len, void *data)
> {
> =E2=80=A6
>         if (len>  sizeof(ret))
>                 len =3D sizeof(ret);
>
>         memcpy(data, (char *)&ret, len);  // if len is a negative(<  =
0),
>   the data memory will be buffer overflow.
> =E2=80=A6
> }
>   =20


Is there any caller that can send a negative length, user- or guest-=20
controlled?

--=20
error compiling committee.c: too many arguments to function