On 01/26/2010 10:59 AM, wzt wzt wrote:
Hi: In kernel 2.6.32 kernel/arch/x86/kvm/i8254.c, I found pit_ioport_read maybe have a integer buffer overflow hole:static int pit_ioport_read(struct kvm_io_device *this, gpa_t addr, int len, void *data) { … if (len> sizeof(ret)) len = sizeof(ret); memcpy(data, (char *)&ret, len); // if len is a negative(< 0), the data memory will be buffer overflow. … }
Is there any caller that can send a negative length, user- or guest- controlled?
-- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
