From patchwork Mon Oct 11 17:22:57 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 245831 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o9BHNqA3010761 for ; Mon, 11 Oct 2010 17:23:53 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755417Ab0JKRXm (ORCPT ); Mon, 11 Oct 2010 13:23:42 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:48079 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755355Ab0JKRXl (ORCPT ); Mon, 11 Oct 2010 13:23:41 -0400 Received: by wwj40 with SMTP id 40so3994944wwj.1 for ; Mon, 11 Oct 2010 10:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=cNQSqvol2TZ84wsJ+ZDGot7TLiPMyUgpdQQxVnu2Lgg=; b=gcK0dzoHuKnlcB3hHmJjh7/lQgnJVAaz1Twd2JQ3Tz9S1wf/3YoPrSCv0xK+xSLu2u 6nPKCFZEwXjQZZ5RmcFepm89/gg0aPtnRWziA5WE6oPWBzsR9QBsaWhSvgRvMj1b2XxV MeYJuw8wFY5tBKy6gHOmqsYJJ5q+X03lUCa5Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=v7UKu3k503G1ZCmDdwiiIwayFoAhIBJcF/WYv8csUSxv+Oe02VesHm1uL+3wkRJvV5 kC6Jof4LfVa3uIZhTL/G9fg92kX+6n9XUtamICIhpP9eg7RuMg/DPElYBA3og1sNItja oVvQoN2+dgSoojjfAQY+lp5hsLzsYOdQyTzmA= Received: by 10.216.168.202 with SMTP id k52mr5601217wel.105.1286817819299; Mon, 11 Oct 2010 10:23:39 -0700 (PDT) Received: from bicker (h3f05.n1.ips.mtn.co.ug [41.210.191.5]) by mx.google.com with ESMTPS id n40sm4571501weq.29.2010.10.11.10.23.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 11 Oct 2010 10:23:11 -0700 (PDT) Date: Mon, 11 Oct 2010 19:22:57 +0200 From: Dan Carpenter To: "Michael S. Tsirkin" Cc: Juan Quintela , "David S. Miller" , Rusty Russell , kvm@vger.kernel.org, virtualization@lists.osdl.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch 1/2] vhost: potential integer overflows Message-ID: <20101011172256.GF5851@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Mon, 11 Oct 2010 17:23:53 +0000 (UTC) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index dd3d6f7..c2aa12c 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -429,6 +429,14 @@ static int vq_access_ok(unsigned int num, struct vring_avail __user *avail, struct vring_used __user *used) { + + if (num > UINT_MAX / sizeof *desc) + return 0; + if (num > UINT_MAX / sizeof *avail->ring - sizeof *avail) + return 0; + if (num > UINT_MAX / sizeof *used->ring - sizeof *used) + return 0; + return access_ok(VERIFY_READ, desc, num * sizeof *desc) && access_ok(VERIFY_READ, avail, sizeof *avail + num * sizeof *avail->ring) && @@ -447,6 +455,9 @@ int vhost_log_access_ok(struct vhost_dev *dev) /* Caller should have vq mutex and device mutex */ static int vq_log_access_ok(struct vhost_virtqueue *vq, void __user *log_base) { + if (vq->num > UINT_MAX / sizeof *vq->used->ring - sizeof *vq->used) + return 0; + return vq_memory_access_ok(log_base, vq->dev->memory, vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) && (!vq->log_used || log_access_ok(log_base, vq->log_addr, @@ -606,12 +617,17 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) } /* Also validate log access for used ring if enabled. */ - if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) && - !log_access_ok(vq->log_base, a.log_guest_addr, + if (a.flags & (0x1 << VHOST_VRING_F_LOG)) { + if (vq->num > UINT_MAX / sizeof *vq->used->ring - sizeof *vq->used) { + r = -EINVAL; + break; + } + if (!log_access_ok(vq->log_base, a.log_guest_addr, sizeof *vq->used + vq->num * sizeof *vq->used->ring)) { - r = -EINVAL; - break; + r = -EINVAL; + break; + } } }