vfio overflow fix for v3.9-rc7

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAABAgAGBQJRZFl9AAoJECObm247sIsiR0IQAItF0d9Q1AbLt1TYUa3E3yjd SMb3h3ItHcpT/LgpqpG31FxvADYsDAPFPs7h5HfrFJPsh8BKaWdEW3UcBgTxqMn1 xgiLM+BeePJU/ccqYBLeFhNl88A/apYhM306b5r5lNuuzsfdX2o1F/N0aaN9qV0p A9PMjfRaagSj3B2uApA8ggQgMjSTUZ4VZnP4B615ZDbBJHBv17moXwd49HR6ubBM wvYXdktDZTl3ImNrPAX2bHzAfv0777EuTuA+Gl5ngMBiZCl6N7MXmxcwbC46TtHN unJ+YfnVCIiM7Ace7EiEBl6eM+VUnczmuNFWT6s6rFKYhkbj0o9cp2S73fIz+hmn bb31RjW/kIIkxPW/CJOF2Yve4P83OW8Fwj180FiVAZaBEQaATnSQSk9FjZtzDgpF RypiKh0bNUDpim7Kdse3bm+1pK+EDc5bNzMMV+438DAs9VO1sLirqaYiG4LMc4Uz wJToAfkYVTwgf22m5dWAOnU9Llik8WXHGe75VNJ4MjfHYgTZ4lLiMa7ZmHCcIfxv B/HdlK/5tqJyWpBsvObnli5YJ9tcsiaYeaRv9261FHqHZPajL82okED4gepfxg6Z 0bX5MxQyNybMxnDo+VPzLtDpnynGRseN5Ujy/MWvLwXg7e+QXv8nmBogJHnLykA4 8mLP7tkn4MrTL5WqtMs3 =fEXv -----END PGP SIGNATURE----- Merge tag 'vfio-v3.9-rc7' of git://github.com/awilliam/linux-vfio Pull vfio overflow fix from Alex Williamson. * tag 'vfio-v3.9-rc7' of git://github.com/awilliam/linux-vfio: vfio-pci: Fix possible integer overflow
2024-11-10 22:21:40 +00:00 · 2013-04-09 12:07:01 -07:00 · 2013-04-09 12:07:01 -07:00 · 43ecdb0d31
commit 43ecdb0d31
parent 27387dd8c6 904c680c7b
1 changed files with 2 additions and 1 deletions
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@ -346,6 +346,7 @@ static long vfio_pci_ioctl(void *device_data,

 		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
 			size_t size;
+			int max = vfio_pci_get_irq_count(vdev, hdr.index);

 			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
 				size = sizeof(uint8_t);
@ -355,7 +356,7 @@ static long vfio_pci_ioctl(void *device_data,
 				return -EINVAL;

 			if (hdr.argsz - minsz < hdr.count * size ||
-			    hdr.count > vfio_pci_get_irq_count(vdev, hdr.index))
+			    hdr.start >= max || hdr.start + hdr.count > max)
 				return -EINVAL;

 			data = memdup_user((void __user *)(arg + minsz),