From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20130507035847.446699462@goodmis.org> Date: Mon, 06 May 2013 23:57:51 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dan Carpenter , Alex Williamson Subject: [039/126] vfio-pci: Fix possible integer overflow References: <20130507035712.909872333@goodmis.org> Content-Disposition: inline; filename=0039-vfio-pci-Fix-possible-integer-overflow.patch Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.6.11.3 stable review patch. If anyone has any objections, please let me know. ------------------ From: Alex Williamson [ Upstream commit 904c680c7bf016a8619a045850937427f8d7368c ] The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson Signed-off-by: Steven Rostedt --- drivers/vfio/pci/vfio_pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index 6968b72..cdaaa25 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -315,6 +315,7 @@ static long vfio_pci_ioctl(void *device_data, if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) { size_t size; + int max = vfio_pci_get_irq_count(vdev, hdr.index); if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL) size = sizeof(uint8_t); @@ -324,7 +325,7 @@ static long vfio_pci_ioctl(void *device_data, return -EINVAL; if (hdr.argsz - minsz < hdr.count * size || - hdr.count > vfio_pci_get_irq_count(vdev, hdr.index)) + hdr.start >= max || hdr.start + hdr.count > max) return -EINVAL; data = kmalloc(hdr.count * size, GFP_KERNEL); -- 1.7.10.4