coalesced_mmio_write() is not check the len value, if len is negative, memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause stack buffer overflow.
Signed-off-by: Zhitong Wang <[email protected]> --- virt/kvm/coalesced_mmio.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index c0dcfb7..eb4601c 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -61,6 +61,10 @@ static int coalesced_mmio_write(struct kvm_io_device *this, { struct kvm_coalesced_mmio_dev *dev = to_mmio(this); struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; + + if (len < 0) + return -EOPNOTSUPP; + if (!coalesced_mmio_in_range(dev, addr, len)) return -EOPNOTSUPP; -- 1.6.5.3 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
