|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
On Sep 8, 2012, at 5:52 AM, Dan Carpenter wrote: > If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication > could overflow and the access_ok() check wouldn't test the right size. > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Acked-by: Andres Lagar-Cavilla <andres@xxxxxxxxxxxxxxxx> > --- > Only needed in linux-next. > > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c > index 215a3c0..fdff8f9 100644 > --- a/drivers/xen/privcmd.c > +++ b/drivers/xen/privcmd.c > @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, > int version) > return -EFAULT; > /* Returns per-frame error in m.arr. */ > m.err = NULL; > + if (m.num > SIZE_MAX / sizeof(*m.arr)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) > return -EFAULT; > break; > @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, > int version) > if (copy_from_user(&m, udata, sizeof(struct > privcmd_mmapbatch_v2))) > return -EFAULT; > /* Returns per-frame error code in m.err. */ > + if (m.num > SIZE_MAX / sizeof(*m.err)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) > return -EFAULT; > break; _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |