On Wed, Dec 8, 2021 at 6:33 PM Dan Carpenter <[email protected]> wrote: > > The "config.offset" comes from the user. There needs to a check to > prevent it being out of bounds. The "config.offset" and > "dev->config_size" variables are both type u32. So if the offset if > out of bounds then the "dev->config_size - config.offset" subtraction > results in a very high u32 value. The out of bounds offset can result > in memory corruption. > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > Signed-off-by: Dan Carpenter <[email protected]> > --- > v2: fix reversed if statement > v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie. > v4: split the vhost_vdpa_config_validate() change into a separate path
Acked-by: Jason Wang <[email protected]> > > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c > b/drivers/vdpa/vdpa_user/vduse_dev.c > index c9204c62f339..1a206f95d73a 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned > int cmd, > break; > > ret = -EINVAL; > - if (config.length == 0 || > + if (config.offset > dev->config_size || > + config.length == 0 || > config.length > dev->config_size - config.offset) > break; > > -- > 2.20.1 > _______________________________________________ Virtualization mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/virtualization
