public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to avoid stack buffer overflow
@ 2010-04-12  1:57 wzt.wzt
  2010-04-12  9:12 ` Stefan Hajnoczi
  2010-04-12 10:28 ` Avi Kivity
  0 siblings, 2 replies; 3+ messages in thread
From: wzt.wzt @ 2010-04-12  1:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: avi, mtosatti, kvm

coalesced_mmio_write() is not check the len value, if len is negative,
memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause
stack buffer overflow.

Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>

---
 virt/kvm/coalesced_mmio.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index c0dcfb7..eb4601c 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -61,6 +61,10 @@ static int coalesced_mmio_write(struct kvm_io_device *this,
 {
 	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
 	struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
+
+	if (len < 0)
+		return -EOPNOTSUPP;
+
 	if (!coalesced_mmio_in_range(dev, addr, len))
 		return -EOPNOTSUPP;
 
-- 
1.6.5.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to  avoid stack buffer overflow
  2010-04-12  1:57 [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to avoid stack buffer overflow wzt.wzt
@ 2010-04-12  9:12 ` Stefan Hajnoczi
  2010-04-12 10:28 ` Avi Kivity
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2010-04-12  9:12 UTC (permalink / raw)
  To: wzt.wzt; +Cc: linux-kernel, avi, mtosatti, kvm

Does len need to be int?  Perhaps it should be unsigned int?

Stefan

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to avoid stack buffer overflow
  2010-04-12  1:57 [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to avoid stack buffer overflow wzt.wzt
  2010-04-12  9:12 ` Stefan Hajnoczi
@ 2010-04-12 10:28 ` Avi Kivity
  1 sibling, 0 replies; 3+ messages in thread
From: Avi Kivity @ 2010-04-12 10:28 UTC (permalink / raw)
  To: wzt.wzt; +Cc: linux-kernel, mtosatti, kvm

On 04/12/2010 04:57 AM, wzt.wzt@gmail.com wrote:
> coalesced_mmio_write() is not check the len value, if len is negative,
> memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause
> stack buffer overflow.
>
>    

How can len be negative?  It can only be between 1 and 8.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-04-12 10:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-12  1:57 [PATCH] KVM: Enhance the coalesced_mmio_write() parameter to avoid stack buffer overflow wzt.wzt
2010-04-12  9:12 ` Stefan Hajnoczi
2010-04-12 10:28 ` Avi Kivity

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox