[PATCH 1/2] vdpa: Signedness bugs in vdpasim

virtualization.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work()
@ 2020-04-06 14:45 Dan Carpenter
  2020-04-06 14:45 ` [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config() Dan Carpenter
  2020-04-09  2:05 ` [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Jason Wang
  0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2020-04-06 14:45 UTC (permalink / raw)
  To: Michael S. Tsirkin, Jason Wang; +Cc: virtualization, kernel-janitors

The "read" and "write" variables need to be signed for the error
handling to work.

Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/vdpa/vdpa_sim/vdpa_sim.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
index 6e8a0cf2fdeb..b3c800653056 100644
--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
+++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
@@ -132,7 +132,8 @@ static void vdpasim_work(struct work_struct *work)
 						 vdpasim, work);
 	struct vdpasim_virtqueue *txq = &vdpasim->vqs[1];
 	struct vdpasim_virtqueue *rxq = &vdpasim->vqs[0];
-	size_t read, write, total_write;
+	ssize_t read, write;
+	size_t total_write;
 	int err;
 	int pkts = 0;
 
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config()
  2020-04-06 14:45 [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Dan Carpenter
@ 2020-04-06 14:45 ` Dan Carpenter
  2020-04-09  2:06   ` Jason Wang
  2020-04-09  2:05 ` [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Jason Wang
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2020-04-06 14:45 UTC (permalink / raw)
  To: Michael S. Tsirkin, Jason Wang; +Cc: virtualization, kernel-janitors

If "offset" is non-zero then we end up copying from beyond the end of
the config because of pointer math.  We can fix this by casting the
struct to a u8 pointer.

Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Is it really worth letting people specify the offset?

 drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
index b3c800653056..e03c25765513 100644
--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
+++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
@@ -509,7 +509,7 @@ static void vdpasim_get_config(struct vdpa_device *vdpa, unsigned int offset,
 	struct vdpasim *vdpasim = vdpa_to_sim(vdpa);
 
 	if (offset + len < sizeof(struct virtio_net_config))
-		memcpy(buf, &vdpasim->config + offset, len);
+		memcpy(buf, (u8 *)&vdpasim->config + offset, len);
 }
 
 static void vdpasim_set_config(struct vdpa_device *vdpa, unsigned int offset,
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work()
  2020-04-06 14:45 [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Dan Carpenter
  2020-04-06 14:45 ` [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config() Dan Carpenter
@ 2020-04-09  2:05 ` Jason Wang
  1 sibling, 0 replies; 4+ messages in thread
From: Jason Wang @ 2020-04-09  2:05 UTC (permalink / raw)
  To: Dan Carpenter, Michael S. Tsirkin; +Cc: virtualization, kernel-janitors


On 2020/4/6 下午10:45, Dan Carpenter wrote:
> The "read" and "write" variables need to be signed for the error
> handling to work.
>
> Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/vdpa/vdpa_sim/vdpa_sim.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
> index 6e8a0cf2fdeb..b3c800653056 100644
> --- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
> +++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
> @@ -132,7 +132,8 @@ static void vdpasim_work(struct work_struct *work)
>   						 vdpasim, work);
>   	struct vdpasim_virtqueue *txq = &vdpasim->vqs[1];
>   	struct vdpasim_virtqueue *rxq = &vdpasim->vqs[0];
> -	size_t read, write, total_write;
> +	ssize_t read, write;
> +	size_t total_write;
>   	int err;
>   	int pkts = 0;
>   


Acked-by: Jason Wang <jasowang@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config()
  2020-04-06 14:45 ` [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config() Dan Carpenter
@ 2020-04-09  2:06   ` Jason Wang
  0 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2020-04-09  2:06 UTC (permalink / raw)
  To: Dan Carpenter, Michael S. Tsirkin; +Cc: virtualization, kernel-janitors


On 2020/4/6 下午10:45, Dan Carpenter wrote:
> If "offset" is non-zero then we end up copying from beyond the end of
> the config because of pointer math.  We can fix this by casting the
> struct to a u8 pointer.
>
> Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Is it really worth letting people specify the offset?
>
>   drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
> index b3c800653056..e03c25765513 100644
> --- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
> +++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
> @@ -509,7 +509,7 @@ static void vdpasim_get_config(struct vdpa_device *vdpa, unsigned int offset,
>   	struct vdpasim *vdpasim = vdpa_to_sim(vdpa);
>   
>   	if (offset + len < sizeof(struct virtio_net_config))
> -		memcpy(buf, &vdpasim->config + offset, len);
> +		memcpy(buf, (u8 *)&vdpasim->config + offset, len);
>   }
>   
>   static void vdpasim_set_config(struct vdpa_device *vdpa, unsigned int offset,


Acked-by: Jason Wang <jasowang@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-04-09  2:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-06 14:45 [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Dan Carpenter
2020-04-06 14:45 ` [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config() Dan Carpenter
2020-04-09  2:06   ` Jason Wang
2020-04-09  2:05 ` [PATCH 1/2] vdpa: Signedness bugs in vdpasim_work() Jason Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).