VFIO fixes for v4.9-rc4
- SET_IRQS ioctl parameter sanitization (Vlad Tsyrklevich) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAABAgAGBQJYF6foAAoJECObm247sIsirKEQAKvCNC8bSnfwkhqfamCyEgAx cORF/lkrvpTle9ulA/w1YFgs7ku0KJVMyiyD5PcybzwJZeUqPffe79gxD3oO2s3G nrJWWh47oPLGfAWLtWBaD04Q9/kq5zSItxdao6mN/pYGVdCU/AxTArXYJKHSH0zl bBV/Bw06044y/KqvJ3m68vuIKPeBcjXSSkMpTaJUyu0tYfVN2LnzVBiexQx+aZeM 32BtB4cpQzLLP8zcEMP74s+0ndRYKS0fGTQF3a6qhfQt5h4Tmdo2KX+9qAKUGNK7 dL2I8faVV1vwGxeGnvhtLPbi2cU1+b8PGCWbLsaGY/ocr0fC8LpaAHOz573+24V0 I/zsnGrDkf/2QcAeElUbtKd9OmY1ssYfC+wO1x4N/s7I2Ute1h+rGlrKMuEQNLVf GBVPgGRuufqZGMYHqAmH0Vuj4Y6K/QNfs8m5sqwRW+2tV1ugvbpBX/9zmAC26L2Z 7j+6G9qs82PXBgxWOhV1yume2ZM4x6rMj7S4ZVAsDUiawgSCwOdsLO2c8KRDBJpt k9DFaZIEZx+OXZKlbGkhBZKtUIeRy8tVAIPus0eb/IzCEWKlRDzpd92fCxCLsBC6 pA7LEqxAlgi8nvzVAVL5Ld2l649BiTrCd7Zff3UUeGVRdEs5tGib2Ftl8bbyi24S ILeASkuVU2F7+ZFRpO5c =ATBG -----END PGP SIGNATURE----- Merge tag 'vfio-v4.9-rc4' of git://github.com/awilliam/linux-vfio Pull VFIO fix from Alex Williamson: "SET_IRQS ioctl parameter sanitization (Vlad Tsyrklevich)" * tag 'vfio-v4.9-rc4' of git://github.com/awilliam/linux-vfio: vfio/pci: Fix integer overflows, bitmask check
This commit is contained in:
commit
a75e003268
|
@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data,
|
|||
|
||||
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
|
||||
struct vfio_irq_set hdr;
|
||||
size_t size;
|
||||
u8 *data = NULL;
|
||||
int ret = 0;
|
||||
int max, ret = 0;
|
||||
|
||||
minsz = offsetofend(struct vfio_irq_set, count);
|
||||
|
||||
|
@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data,
|
|||
return -EFAULT;
|
||||
|
||||
if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
|
||||
hdr.count >= (U32_MAX - hdr.start) ||
|
||||
hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
|
||||
VFIO_IRQ_SET_ACTION_TYPE_MASK))
|
||||
return -EINVAL;
|
||||
|
||||
if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
|
||||
size_t size;
|
||||
int max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||
|
||||
if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
|
||||
size = sizeof(uint8_t);
|
||||
else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
|
||||
size = sizeof(int32_t);
|
||||
else
|
||||
max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||
if (hdr.start >= max || hdr.start + hdr.count > max)
|
||||
return -EINVAL;
|
||||
|
||||
if (hdr.argsz - minsz < hdr.count * size ||
|
||||
hdr.start >= max || hdr.start + hdr.count > max)
|
||||
switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
|
||||
case VFIO_IRQ_SET_DATA_NONE:
|
||||
size = 0;
|
||||
break;
|
||||
case VFIO_IRQ_SET_DATA_BOOL:
|
||||
size = sizeof(uint8_t);
|
||||
break;
|
||||
case VFIO_IRQ_SET_DATA_EVENTFD:
|
||||
size = sizeof(int32_t);
|
||||
break;
|
||||
default:
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (size) {
|
||||
if (hdr.argsz - minsz < hdr.count * size)
|
||||
return -EINVAL;
|
||||
|
||||
data = memdup_user((void __user *)(arg + minsz),
|
||||
|
|
|
@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
|
|||
if (!is_irq_none(vdev))
|
||||
return -EINVAL;
|
||||
|
||||
vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||
vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||
if (!vdev->ctx)
|
||||
return -ENOMEM;
|
||||
|
||||
|
|
Loading…
Reference in New Issue