[ 60/64] vfio-pci: Fix possible integer overflow

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
	Alex Williamson <alex.williamson@redhat.com>
Subject: [ 60/64] vfio-pci: Fix possible integer overflow
Date: Wed, 10 Apr 2013 15:46:57 -0700	[thread overview]
Message-ID: <20130410224347.549614022@linuxfoundation.org> (raw)
In-Reply-To: <20130410224333.114387235@linuxfoundation.org>

3.8-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Williamson <alex.williamson@redhat.com>

commit 904c680c7bf016a8619a045850937427f8d7368c upstream.

The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
of which are unsigned.  We attempt to bounds check these, but fail to
account for the case where start is a very large number, allowing
start + count to wrap back into the valid range.  Bounds check both
start and start + count.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -331,6 +331,7 @@ static long vfio_pci_ioctl(void *device_
 
 		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
 			size_t size;
+			int max = vfio_pci_get_irq_count(vdev, hdr.index);
 
 			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
 				size = sizeof(uint8_t);
@@ -340,7 +341,7 @@ static long vfio_pci_ioctl(void *device_
 				return -EINVAL;
 
 			if (hdr.argsz - minsz < hdr.count * size ||
-			    hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
+			    hdr.start >= max || hdr.start + hdr.count > max)
 				return -EINVAL;
 
 			data = memdup_user((void __user *)(arg + minsz),

next prev parent reply	other threads:[~2013-04-10 23:05 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-10 22:45 [ 00/64] 3.8.7-stable review Greg Kroah-Hartman
2013-04-10 22:45 ` [ 01/64] ASoC: imx-ssi: Fix occasional AC97 reset failure Greg Kroah-Hartman
2013-04-10 22:45 ` [ 02/64] ASoC: dma-sh7760: Fix compile error Greg Kroah-Hartman
2013-04-10 22:46 ` [ 03/64] ASoC: spear_pcm: Update to new pcm_new() API Greg Kroah-Hartman
2013-04-10 22:46 ` [ 04/64] regmap: Initialize `map->debugfs before regcache Greg Kroah-Hartman
2013-04-10 22:46 ` [ 05/64] regmap: cache Fix regcache-rbtree sync Greg Kroah-Hartman
2013-04-10 22:46 ` [ 06/64] MIPS: Fix logic errors in bitops.c Greg Kroah-Hartman
2013-04-10 22:46 ` [ 07/64] HID: magicmouse: fix race between input_register() and probe() Greg Kroah-Hartman
2013-04-10 22:46 ` [ 08/64] spi/s3c64xx: modified error interrupt handling and init Greg Kroah-Hartman
2013-04-10 22:46 ` [ 09/64] spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts Greg Kroah-Hartman
2013-04-10 22:46 ` [ 10/64] gpio: stmpe: pass DT node to irqdomain Greg Kroah-Hartman
2013-04-10 22:46 ` [ 11/64] UBIFS: make space fixup work in the remount case Greg Kroah-Hartman
2013-04-10 22:46 ` [ 12/64] reiserfs: Fix warning and inode leak when deleting inode with xattrs Greg Kroah-Hartman
2013-04-10 22:46 ` [ 13/64] ALSA: hda - bug fix on return value when getting HDMI ELD info Greg Kroah-Hartman
2013-04-10 22:46 ` [ 14/64] ALSA: hda - Enabling Realtek ALC 671 codec Greg Kroah-Hartman
2013-04-10 22:46 ` [ 15/64] ALSA: hda - fix typo in proc output Greg Kroah-Hartman
2013-04-10 22:46 ` [ 16/64] drm/nouveau: fix handling empty channel list in ioctls Greg Kroah-Hartman
2013-04-10 22:46 ` [ 17/64] drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2) Greg Kroah-Hartman
2013-04-10 22:46 ` [ 18/64] drm: correctly restore mappings if drm_open fails Greg Kroah-Hartman
2013-04-10 22:46 ` [ 19/64] Revert "drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR" Greg Kroah-Hartman
2013-04-10 22:46 ` [ 20/64] mm: prevent mmap_cache race in find_vma() Greg Kroah-Hartman
2013-04-10 22:46 ` [ 21/64] EISA/PCI: Init EISA early, before PNP Greg Kroah-Hartman
2013-04-10 22:46 ` [ 22/64] EISA/PCI: Fix bus res reference Greg Kroah-Hartman
2013-04-10 22:46 ` [ 23/64] ixgbe: fix registration order of driver and DCA nofitication Greg Kroah-Hartman
2013-04-10 22:46 ` [ 24/64] libata: Use integer return value for atapi_command_packet_set Greg Kroah-Hartman
2013-04-10 22:46 ` [ 25/64] libata: Set max sector to 65535 for Slimtype DVD A DS8A8SH drive Greg Kroah-Hartman
2013-04-10 22:46 ` [ 26/64] libata: fix DMA to stack in reading devslp_timing parameters Greg Kroah-Hartman
2013-04-10 22:46 ` [ 27/64] MIPS: Unbreak function tracer for 64-bit kernel Greg Kroah-Hartman
2013-04-10 22:46 ` [ 28/64] alpha: Add irongate_io to PCI bus resources Greg Kroah-Hartman
2013-04-10 22:46 ` [ 29/64] PCI/ACPI: Always resume devices on ACPI wakeup notifications Greg Kroah-Hartman
2013-04-10 22:46 ` [ 30/64] PCI/PM: Disable runtime PM of PCIe ports Greg Kroah-Hartman
2013-04-10 22:46 ` [ 31/64] ata_piix: Fix DVD not dectected at some Haswell platforms Greg Kroah-Hartman
2013-04-10 22:46 ` [ 32/64] ftrace: Consistently restore trace function on sysctl enabling Greg Kroah-Hartman
2013-04-10 22:46 ` [ 33/64] powerpc: pSeries_lpar_hpte_remove fails from Adjunct partition being performed before the ANDCOND test Greg Kroah-Hartman
2013-04-10 22:46 ` [ 34/64] mwifiex: limit channel number not to overflow memory Greg Kroah-Hartman
2013-04-10 22:46 ` [ 35/64] mac80211: fix remain-on-channel cancel crash Greg Kroah-Hartman
2013-04-10 22:46 ` [ 36/64] x86: remove the x32 syscall bitmask from syscall_get_nr() Greg Kroah-Hartman
2013-04-10 22:46 ` [ 37/64] hwspinlock: fix __hwspin_lock_request error path Greg Kroah-Hartman
2013-04-10 22:46 ` [ 38/64] remoteproc/ste: fix memory leak on shutdown Greg Kroah-Hartman
2013-04-10 22:46 ` [ 39/64] remoteproc: fix error path of handle_vdev Greg Kroah-Hartman
2013-04-10 22:46 ` [ 40/64] remoteproc: fix FW_CONFIG typo Greg Kroah-Hartman
2013-04-10 22:46 ` [ 41/64] spinlocks and preemption points need to be at least compiler barriers Greg Kroah-Hartman
2013-04-10 22:54   ` Linus Torvalds
2013-04-10 23:00     ` Greg Kroah-Hartman
2013-04-10 22:46 ` [ 42/64] crypto: ux500 - add missing comma Greg Kroah-Hartman
2013-04-10 22:46 ` [ 43/64] crypto: gcm - fix assumption that assoc has one segment Greg Kroah-Hartman
2013-04-10 22:46 ` [ 44/64] drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal Greg Kroah-Hartman
2013-04-10 22:46 ` [ 45/64] block: avoid using uninitialized value in from queue_var_store Greg Kroah-Hartman
2013-04-10 22:46 ` [ 46/64] SUNRPC: Remove extra xprt_put() Greg Kroah-Hartman
2013-04-10 22:46 ` [ 47/64] NFSv4: Fix a memory leak in nfs4_discover_server_trunking Greg Kroah-Hartman
2013-04-10 22:46 ` [ 48/64] NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list Greg Kroah-Hartman
2013-04-10 22:46 ` [ 49/64] drm/i915: Fix build failure Greg Kroah-Hartman
2013-04-10 22:46 ` [ 50/64] x86: Fix rebuild with EFI_STUB enabled Greg Kroah-Hartman
2013-04-10 22:46 ` [ 51/64] Revert "PCI/ACPI: Request _OSC control before scanning PCI root bus" Greg Kroah-Hartman
2013-04-10 22:46 ` [ 52/64] thermal: return an error on failure to register thermal class Greg Kroah-Hartman
2013-04-10 22:46 ` [ 53/64] msi-wmi: Fix memory leak Greg Kroah-Hartman
2013-04-10 22:46 ` [ 54/64] cpufreq: exynos: Get booting freq value in exynos_cpufreq_init Greg Kroah-Hartman
2013-04-10 22:46 ` [ 55/64] ARM: EXYNOS: Fix crash on soft reset on EXYNOS5440 Greg Kroah-Hartman
2013-04-10 22:46 ` [ 56/64] drm/i915: add quirk to invert brightness on eMachines G725 Greg Kroah-Hartman
2013-04-10 22:46 ` [ 57/64] drm/i915: add quirk to invert brightness on eMachines e725 Greg Kroah-Hartman
2013-04-10 22:46 ` [ 58/64] drm/i915: add quirk to invert brightness on Packard Bell NCL20 Greg Kroah-Hartman
2013-04-10 22:46 ` [ 59/64] r8169: fix auto speed down issue Greg Kroah-Hartman
2013-04-10 22:46 ` Greg Kroah-Hartman [this message]
2013-04-10 22:46 ` [ 61/64] NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Greg Kroah-Hartman
2013-04-10 22:46 ` [ 62/64] can: gw: use kmem_cache_free() instead of kfree() Greg Kroah-Hartman
2013-04-10 22:47 ` [ 63/64] mwifiex: complete last internal scan Greg Kroah-Hartman
2013-04-10 22:47 ` [ 64/64] rt2x00: rt2x00pci_regbusy_read() - only print register access failure once Greg Kroah-Hartman
2013-04-11 16:30 ` [ 00/64] 3.8.7-stable review Shuah Khan
2013-04-11 16:45   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130410224347.549614022@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=alex.williamson@redhat.com \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).