| Message ID | 20090527143706.14024.14341.stgit@dev.haskins.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c index c63ff6a..f3f2ea1 100644 --- a/virt/kvm/eventfd.c +++ b/virt/kvm/eventfd.c @@ -27,6 +27,7 @@ #include <linux/poll.h> #include <linux/file.h> #include <linux/list.h> +#include <linux/eventfd.h> /* * -------------------------------------------------------------------- @@ -102,7 +103,7 @@ kvm_assign_irqfd(struct kvm *kvm, int fd, int gsi) /* * Embed the file* lifetime in the irqfd. */ - file = fget(fd); + file = eventfd_fget(fd); if (IS_ERR(file)) { ret = PTR_ERR(file); goto fail;
We should be more vigilant in validating the fd type passed down for use in irqfd. A malicious userspace could do something nasty like pass the kvm fd which would cause problems such as a reference leak on the kvm object on shutdown. Therefore, we use the eventfd_fget() routine in place of the plain fget() to at least make sure its of the proper type. Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Gregory Haskins <ghaskins@novell.com> --- virt/kvm/eventfd.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html