diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2021-12-08 16:09:56 +0100 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2021-12-08 20:53:15 +0100 |
commit | dc1db0060c02d119fd4196924eff2d1129e9a442 (patch) | |
tree | b8ffb6cbb2d403e16c523d6fa9ebf463c4f51104 /drivers/vdpa | |
parent | vdpa: check that offsets are within bounds (diff) | |
download | linux-dc1db0060c02d119fd4196924eff2d1129e9a442.tar.xz linux-dc1db0060c02d119fd4196924eff2d1129e9a442.zip |
vduse: check that offset is within bounds in get_config()
This condition checks "len" but it does not check "offset" and that
could result in an out of bounds read if "offset > dev->config_size".
The problem is that since both variables are unsigned the
"dev->config_size - offset" subtraction would result in a very high
unsigned value.
I think these checks might not be necessary because "len" and "offset"
are supposed to already have been validated using the
vhost_vdpa_config_validate() function. But I do not know the code
perfectly, and I like to be safe.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211208150956.GA29160@kili
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/vdpa')
-rw-r--r-- | drivers/vdpa/vdpa_user/vduse_dev.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index 1a206f95d73a..eddcb64a910a 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset, { struct vduse_dev *dev = vdpa_to_vduse(vdpa); - if (len > dev->config_size - offset) + if (offset > dev->config_size || + len > dev->config_size - offset) return; memcpy(buf, dev->config + offset, len); |