summaryrefslogtreecommitdiffstats
path: root/drivers/vdpa
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2021-12-08 18:09:56 +0300
committerMichael S. Tsirkin <mst@redhat.com>2021-12-08 14:53:15 -0500
commitdc1db0060c02d119fd4196924eff2d1129e9a442 (patch)
treeb8ffb6cbb2d403e16c523d6fa9ebf463c4f51104 /drivers/vdpa
parent3ed21c1451a14d139e1ceb18f2fa70865ce3195a (diff)
downloadlinux-stable-dc1db0060c02d119fd4196924eff2d1129e9a442.tar.gz
linux-stable-dc1db0060c02d119fd4196924eff2d1129e9a442.tar.bz2
linux-stable-dc1db0060c02d119fd4196924eff2d1129e9a442.zip
vduse: check that offset is within bounds in get_config()
This condition checks "len" but it does not check "offset" and that could result in an out of bounds read if "offset > dev->config_size". The problem is that since both variables are unsigned the "dev->config_size - offset" subtraction would result in a very high unsigned value. I think these checks might not be necessary because "len" and "offset" are supposed to already have been validated using the vhost_vdpa_config_validate() function. But I do not know the code perfectly, and I like to be safe. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20211208150956.GA29160@kili Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/vdpa')
-rw-r--r--drivers/vdpa/vdpa_user/vduse_dev.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 1a206f95d73a..eddcb64a910a 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
{
struct vduse_dev *dev = vdpa_to_vduse(vdpa);
- if (len > dev->config_size - offset)
+ if (offset > dev->config_size ||
+ len > dev->config_size - offset)
return;
memcpy(buf, dev->config + offset, len);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 22:33:24 +0000