diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-01-07 09:28:40 +0300 |
---|---|---|
committer | Alex Williamson <alex.williamson@redhat.com> | 2017-01-11 12:12:29 -0700 |
commit | 5c677869e0abbffbade2cfd82d46d0eebe823f34 (patch) | |
tree | 7f4659715113784f3c88cd1dc61414b0fcecf37e /samples | |
parent | 6ed0993a0b859ce62edf2930ded683e452286d39 (diff) | |
download | linux-5c677869e0abbffbade2cfd82d46d0eebe823f34.tar.gz linux-5c677869e0abbffbade2cfd82d46d0eebe823f34.tar.bz2 linux-5c677869e0abbffbade2cfd82d46d0eebe823f34.zip |
vfio-mdev: buffer overflow in ioctl()
This is a sample driver for documentation so the impact is probably
pretty low. But we should check that bar_index is valid so we
don't write beyond the end of the mdev_state->region_info[] array.
Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kirti Wankhede <kwankhede@nvidia.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Diffstat (limited to 'samples')
-rw-r--r-- | samples/vfio-mdev/mtty.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c index 975af5bbf28d..382f4797428f 100644 --- a/samples/vfio-mdev/mtty.c +++ b/samples/vfio-mdev/mtty.c @@ -1073,7 +1073,7 @@ int mtty_get_region_info(struct mdev_device *mdev, { unsigned int size = 0; struct mdev_state *mdev_state; - int bar_index; + u32 bar_index; if (!mdev) return -EINVAL; @@ -1082,8 +1082,11 @@ int mtty_get_region_info(struct mdev_device *mdev, if (!mdev_state) return -EINVAL; - mutex_lock(&mdev_state->ops_lock); bar_index = region_info->index; + if (bar_index >= VFIO_PCI_NUM_REGIONS) + return -EINVAL; + + mutex_lock(&mdev_state->ops_lock); switch (bar_index) { case VFIO_PCI_CONFIG_REGION_INDEX: |