Xen project Mailing List

Re: [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems

To: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Date: Sat, 16 Jul 2022 13:12:46 +0300

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1k6gj6cFFW104RN+pwDglwXobR+RGNKua6JhD5+mt2k=; b=LqRMF6Kc6F9rAs+FtTlyYyfxveGL86mzzYSH849W5g4s0qxrP37narNBPO/oplSO61GgCuwNRxdw0hKaobAbUdtYBpcJsa9un8pturQikQkQw1VPfq194oHZjB+Lq37yRZAC3v2ivak9njoGWWCCMDBayA/RHuFw3NsBgsN1xAruSXmRbMIOsSU5y1eHmcndtSaM0Hic7r6s03qR5pFHyz61QpLpq0s616RVD+3m5IKP97wQTF82edwYQIhM4kiCSFzhtqeNU9cW2e166xdKzgD29lmzljYJVzKQMAjnjLej9poOQtGWtAlPVGJjbWRpagQMawdbPW4+JKtoM7MxyQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RVF9qS3I7dT4P4f3Lt4K+oP1bslio8KIukAJ3OVT5brH7h5it9vKNF+4Ok5NV9lImbiY+sD/sTNLUH46oLkQMEMpvC6tyODGPzdCfPdJQKjvL9w0oDvI8BCdNyFInZfxgwlu0TKAdZ7HdOr5qBKdXtgUhU2OYWQnCO3RO+ZWyLZcYJ0ahXfBbdkRqaJYkQKU3h95d0R6IEk0tkZcZmWi+L9F6OVIk14XBEarC9fWJBNAT0byzkMJ+wZmlk4wygDF8yojCm2AMqv5kqTAoSSAo6QCOBuQS7iRccdmdkzpsQe31c/aU5n0A50Xez0WHWPmcNcLWzTvmZl1Tzfo+PmVAA==

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Andres Lagar-Cavilla <andreslc@xxxxxxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "kernel-janitors@xxxxxxxxxxxxxxx" <kernel-janitors@xxxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>

Delivery-date: Sat, 16 Jul 2022 10:13:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Jul 15, 2022 at 08:56:30AM +0000, Oleksandr Tyshchenko wrote: > > On 15.07.22 11:20, Dan Carpenter wrote: > > > Hello Dan > > > The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow > > on 32 bit systems. Probably no one really uses this software on 32 bit > > systems, but it's still worth fixing the bug if only to make the static > > checker happy. > > > > Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl") > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > --- > > drivers/xen/privcmd.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c > > index ad17166b0ef6..1e59b76c618e 100644 > > --- a/drivers/xen/privcmd.c > > +++ b/drivers/xen/privcmd.c > > @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch( > > if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch))) > > return -EFAULT; > > /* Returns per-frame error in m.arr. */ > > + if (m.num > SIZE_MAX / sizeof(*m.arr)) > > + return -EINVAL; > > m.err = NULL; > > if (!access_ok(m.arr, m.num * sizeof(*m.arr))) > > return -EFAULT; > > @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch( > > if (copy_from_user(&m, udata, sizeof(struct > > privcmd_mmapbatch_v2))) > > return -EFAULT; > > /* Returns per-frame error code in m.err. */ > > + if (m.num > SIZE_MAX / sizeof(*m.arr)) > > Looks like here we need to check against sizeof(*m.err) which is used in > the multiplication below. Oh, yeah. Sorry! Need to redo that. regards, dan carpenter

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.