From: Dan Carpenter Date: Wed, 19 Oct 2011 06:15:10 +0000 (+0300) Subject: KVM: make checks stricter in coalesced_mmio_in_range() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1a214246cbb431f7430f7d0c0fb66218a6f442d2;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git KVM: make checks stricter in coalesced_mmio_in_range() My testing version of Smatch complains that addr and len come from the user and they can wrap. The path is: -> kvm_vm_ioctl() -> kvm_vm_ioctl_unregister_coalesced_mmio() -> coalesced_mmio_in_range() I don't know what the implications are of wrapping here, but we may as well fix it, if only to silence the warning. Signed-off-by: Dan Carpenter Signed-off-by: Marcelo Tosatti --- diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index a6ec206f36ba..88b2fe3ddf42 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -28,9 +28,15 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, * (addr,len) is fully included in * (zone->addr, zone->size) */ - - return (dev->zone.addr <= addr && - addr + len <= dev->zone.addr + dev->zone.size); + if (len < 0) + return 0; + if (addr + len < addr) + return 0; + if (addr < dev->zone.addr) + return 0; + if (addr + len > dev->zone.addr + dev->zone.size) + return 0; + return 1; } static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)