* [PATCH] xen: fix potential integer overflow in queue_reply
@ 2016-01-18 16:29 Insu Yun
2016-01-18 16:38 ` David Vrabel
0 siblings, 1 reply; 3+ messages in thread
From: Insu Yun @ 2016-01-18 16:29 UTC (permalink / raw)
To: konrad.wilk, boris.ostrovsky, david.vrabel, Jennifer.Herbert,
xen-devel, linux-kernel
Cc: taesoo, yeongjin.jang, insu, changwoo, Insu Yun
When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
it can overflow integer range and allocates small size of heap.
After that, memcpy will overflow the allocated heap.
Therefore, it needs to check the size of given length.
Signed-off-by: Insu Yun <wuninsu@gmail.com>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 9433e46..b45ed69 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
{
struct read_buffer *rb;
- if (len == 0)
+ if (len == 0 || len >= UINT_MAX - sizeof(*rb))
return 0;
rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL);
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] xen: fix potential integer overflow in queue_reply
2016-01-18 16:29 [PATCH] xen: fix potential integer overflow in queue_reply Insu Yun
@ 2016-01-18 16:38 ` David Vrabel
2016-01-18 16:47 ` [Xen-devel] " David Vrabel
0 siblings, 1 reply; 3+ messages in thread
From: David Vrabel @ 2016-01-18 16:38 UTC (permalink / raw)
To: Insu Yun, konrad.wilk, boris.ostrovsky, Jennifer.Herbert,
xen-devel, linux-kernel
Cc: taesoo, yeongjin.jang, insu, changwoo
On 18/01/16 16:29, Insu Yun wrote:
> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
> it can overflow integer range and allocates small size of heap.
> After that, memcpy will overflow the allocated heap.
> Therefore, it needs to check the size of given length.
[...]
> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
> {
> struct read_buffer *rb;
>
> - if (len == 0)
> + if (len == 0 || len >= UINT_MAX - sizeof(*rb))
^^^^^^^^^^^^^^^^^^^^^^
Please check
len > XENSTORE_PAYLOAD_MAX
instead.
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply
2016-01-18 16:38 ` David Vrabel
@ 2016-01-18 16:47 ` David Vrabel
0 siblings, 0 replies; 3+ messages in thread
From: David Vrabel @ 2016-01-18 16:47 UTC (permalink / raw)
To: David Vrabel, Insu Yun, konrad.wilk, boris.ostrovsky,
Jennifer.Herbert, xen-devel, linux-kernel
Cc: yeongjin.jang, taesoo, insu, changwoo
On 18/01/16 16:38, David Vrabel wrote:
> On 18/01/16 16:29, Insu Yun wrote:
>> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
>> it can overflow integer range and allocates small size of heap.
>> After that, memcpy will overflow the allocated heap.
>> Therefore, it needs to check the size of given length.
> [...]
>> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
>> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
>> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
>> {
>> struct read_buffer *rb;
>>
>> - if (len == 0)
>> + if (len == 0 || len >= UINT_MAX - sizeof(*rb))
> ^^^^^^^^^^^^^^^^^^^^^^
> Please check
>
> len > XENSTORE_PAYLOAD_MAX
>
> instead.
And return -EINVAL in this case (not zero).
David
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-01-18 16:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-18 16:29 [PATCH] xen: fix potential integer overflow in queue_reply Insu Yun
2016-01-18 16:38 ` David Vrabel
2016-01-18 16:47 ` [Xen-devel] " David Vrabel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).