diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2011-10-19 08:15:10 +0200 |
---|---|---|
committer | Avi Kivity <avi@redhat.com> | 2011-12-27 10:17:07 +0100 |
commit | 1a214246cbb431f7430f7d0c0fb66218a6f442d2 (patch) | |
tree | 5a45be4f7fe958dbd09774ad9425bdcf40ff8e91 | |
parent | KVM: x86: Simplify kvm timer handler (diff) | |
download | linux-1a214246cbb431f7430f7d0c0fb66218a6f442d2.tar.xz linux-1a214246cbb431f7430f7d0c0fb66218a6f442d2.zip |
KVM: make checks stricter in coalesced_mmio_in_range()
My testing version of Smatch complains that addr and len come from
the user and they can wrap. The path is:
-> kvm_vm_ioctl()
-> kvm_vm_ioctl_unregister_coalesced_mmio()
-> coalesced_mmio_in_range()
I don't know what the implications are of wrapping here, but we may
as well fix it, if only to silence the warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
-rw-r--r-- | virt/kvm/coalesced_mmio.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index a6ec206f36ba..88b2fe3ddf42 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -28,9 +28,15 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, * (addr,len) is fully included in * (zone->addr, zone->size) */ - - return (dev->zone.addr <= addr && - addr + len <= dev->zone.addr + dev->zone.size); + if (len < 0) + return 0; + if (addr + len < addr) + return 0; + if (addr < dev->zone.addr) + return 0; + if (addr + len > dev->zone.addr + dev->zone.size) + return 0; + return 1; } static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) |