| Message ID | 20241021123843.42979-1-giovanni.cabiddu@intel.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | vfio/qat: fix overflow check in qat_vf_resume_write() | expand |
On Mon, 21 Oct 2024 13:37:53 +0100 Giovanni Cabiddu <giovanni.cabiddu@intel.com> wrote: > The unsigned variable `size_t len` is cast to the signed type `loff_t` > when passed to the function check_add_overflow(). This function considers > the type of the destination, which is of type loff_t (signed), > potentially leading to an overflow. This issue is similar to the one > described in the link below. > > Remove the cast. > > Note that even if check_add_overflow() is bypassed, by setting `len` to > a value that is greater than LONG_MAX (which is considered as a negative > value after the cast), the function copy_from_user(), invoked a few lines > later, will not perform any copy and return `len` as (len > INT_MAX) > causing qat_vf_resume_write() to fail with -EFAULT. > > Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices") > CC: stable@vger.kernel.org # 6.10+ > Link: https://lore.kernel.org/all/138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mountain > Reported-by: Zijie Zhao <zzjas98@gmail.com> > Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> > Reviewed-by: Xin Zeng <xin.zeng@intel.com> > --- > drivers/vfio/pci/qat/main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c > index e36740a282e7..1e3563fe7cab 100644 > --- a/drivers/vfio/pci/qat/main.c > +++ b/drivers/vfio/pci/qat/main.c > @@ -305,7 +305,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf, > offs = &filp->f_pos; > > if (*offs < 0 || > - check_add_overflow((loff_t)len, *offs, &end)) > + check_add_overflow(len, *offs, &end)) > return -EOVERFLOW; > > if (end > mig_dev->state_size) Applied to vfio next branch for v6.13. Thanks, Alex
diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c index e36740a282e7..1e3563fe7cab 100644 --- a/drivers/vfio/pci/qat/main.c +++ b/drivers/vfio/pci/qat/main.c @@ -305,7 +305,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf, offs = &filp->f_pos; if (*offs < 0 || - check_add_overflow((loff_t)len, *offs, &end)) + check_add_overflow(len, *offs, &end)) return -EOVERFLOW; if (end > mig_dev->state_size)
The unsigned variable `size_t len` is cast to the signed type `loff_t` when passed to the function check_add_overflow(). This function considers the type of the destination, which is of type loff_t (signed), potentially leading to an overflow. This issue is similar to the one described in the link below. Remove the cast. Note that even if check_add_overflow() is bypassed, by setting `len` to a value that is greater than LONG_MAX (which is considered as a negative value after the cast), the function copy_from_user(), invoked a few lines later, will not perform any copy and return `len` as (len > INT_MAX) causing qat_vf_resume_write() to fail with -EFAULT. Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices") CC: stable@vger.kernel.org # 6.10+ Link: https://lore.kernel.org/all/138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mountain Reported-by: Zijie Zhao <zzjas98@gmail.com> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Xin Zeng <xin.zeng@intel.com> --- drivers/vfio/pci/qat/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)