2.6.32-KVM-pit_ioport_read() integer buffer overflow hole

Commit Message

wzt wzt Jan. 26, 2010, 8:59 a.m. UTC

None

Patch

diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 296aba4..bf8637f 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -463,6 +463,8 @@  static int pit_ioport_read(struct kvm_io_device *this,
       struct kvm *kvm = pit->kvm;
       int ret, count;
       struct kvm_kpit_channel_state *s;
+       if (len < 0)
+               return -EOPNOTSUPP;
       if (!pit_in_range(addr))
               return -EOPNOTSUPP;

@@ -516,6 +518,7 @@  static int pit_ioport_read(struct kvm_io_device *this,

       if (len > sizeof(ret))
               len = sizeof(ret);
+
       memcpy(data, (char *)&ret, len);

       mutex_unlock(&pit_state->lock);
@@ -547,6 +550,9 @@  static int speaker_ioport_read(struct kvm_io_device *this,
       struct kvm *kvm = pit->kvm;
       unsigned int refresh_clock;
       int ret;
+
+       if (len < 0)
+               return -EOPNOTSUPP;
       if (addr != KVM_SPEAKER_BASE_ADDRESS)
               return -EOPNOTSUPP;
--
To unsubscribe from this list: send the line "unsubscribe kvm" in