[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl



On Sep 8, 2012, at 5:52 AM, Dan Carpenter wrote:

> If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication
> could overflow and the access_ok() check wouldn't test the right size.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Andres Lagar-Cavilla <andres@xxxxxxxxxxxxxxxx>
> ---
> Only needed in linux-next.
> 
> diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> index 215a3c0..fdff8f9 100644
> --- a/drivers/xen/privcmd.c
> +++ b/drivers/xen/privcmd.c
> @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, 
> int version)
>                       return -EFAULT;
>               /* Returns per-frame error in m.arr. */
>               m.err = NULL;
> +             if (m.num > SIZE_MAX / sizeof(*m.arr))
> +                     return -EINVAL;
>               if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr)))
>                       return -EFAULT;
>               break;
> @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, 
> int version)
>               if (copy_from_user(&m, udata, sizeof(struct 
> privcmd_mmapbatch_v2)))
>                       return -EFAULT;
>               /* Returns per-frame error code in m.err. */
> +             if (m.num > SIZE_MAX / sizeof(*m.err))
> +                     return -EINVAL;
>               if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err))))
>                       return -EFAULT;
>               break;


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.