[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl

To: Andres Lagar-Cavilla <andreslc@xxxxxxxxxxxxxx>
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Sat, 8 Sep 2012 12:52:08 +0300
Cc: kernel-janitors@xxxxxxxxxxxxxxx, Jeremy Fitzhardinge <jeremy@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Delivery-date: Sat, 08 Sep 2012 09:52:53 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication
could overflow and the access_ok() check wouldn't test the right size.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Only needed in linux-next.

diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index 215a3c0..fdff8f9 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, 
int version)
                        return -EFAULT;
                /* Returns per-frame error in m.arr. */
                m.err = NULL;
+               if (m.num > SIZE_MAX / sizeof(*m.arr))
+                       return -EINVAL;
                if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr)))
                        return -EFAULT;
                break;
@@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, 
int version)
                if (copy_from_user(&m, udata, sizeof(struct 
privcmd_mmapbatch_v2)))
                        return -EFAULT;
                /* Returns per-frame error code in m.err. */
+               if (m.num > SIZE_MAX / sizeof(*m.err))
+                       return -EINVAL;
                if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err))))
                        return -EFAULT;
                break;

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
  - From: David Vrabel
- Re: [Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
  - From: Andres Lagar-Cavilla

Prev by Date: [Xen-devel] [PATCH 2 of 2] docs: flesh out xl.cfg documentation, correct typos, reorganize
Next by Date: [Xen-devel] [patch 2/3] xen/privcmd: return -EFAULT on error
Previous by thread: [Xen-devel] [PATCH 0 of 2] improve xmdomain.cfg and xl.cfg documentation
Next by thread: Re: [Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.