projects / GitHub / LineageOS / android_kernel_samsung_universal7580.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0214fbe) | patch
vfio/pci: Fix integer overflows, bitmask check
authorVlad Tsyrklevich <vlad@tsyrklevich.net>
Wed, 12 Oct 2016 16:51:24 +0000 (18:51 +0200)
committerDanny Wood <danwood76@gmail.com>
Tue, 29 Jan 2019 13:17:17 +0000 (13:17 +0000)
commit28c26aade57845098b66515fa4ce66dafa2d5e5c
tree5539f5e69be783f46041012d0418d7ff21474a35tree | snapshot (tar.gz zip)
parent0214fbeb7a95cddd7bf28a917a53ce42f2754e36commit | diff
vfio/pci: Fix integer overflows, bitmask check

commit 05692d7005a364add85c6e25a6c4447ce08f913a upstream.

The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().

Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
drivers/vfio/pci/vfio_pci.c diff | blob | blame | history
drivers/vfio/pci/vfio_pci_intrs.c diff | blob | blame | history