[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()

  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
  • Date: Thu, 1 Sep 2022 18:35:20 +0300
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=k3jhOi/18aqXzObtn/UvjH1Vjp+lrALC3R1MFoWRLIk=; b=BrYkeh+8x/FnBZPYgICsZelEnu3wAwbY2i6nZx9I1+iaF4kN/kcmfPL+MzRrZeTxlcDksHZMpvxgdTDJLk+KFTRoIyf4Si3ZUwt2ph8knp1BlnF5RqL4/ORsugA0C6tYk80pqbgUEHgrNtTJBbfa/DEFnCc/OVFIsFm8oO3MwuBeh9B9KEYLLKWRBWQwn72HsipYZ8qDzSUMcBZyOJeOF6vqA4oRjuOQxvC9UsyeiLY8fGsyI5IdZoLMUTYxySSKqrwmLBSpCFnkAACSOBrbp8N/cJbxKQox8Mhj6GJYWpVKjdyRlX6Agrvn6zXGZe4NbvjeTmbQqmaWGItlpCMAWw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iecDb0ZbHR0gPXmS1viD1Nw0QW+2ArTkrHcjfMOuZbdVu0GEX7d5RlBkvcMEBB/dXc1n4zIWJy5odyRsKojgh0JKZtFXxxGEiZW0xW8u81p3lT+wqwASWXH31J/oaCyAMOWzpCBOY970AW/JXoEaE/znfYYI+udECLLmoKn9Pelp1nmZQJtziMOqNqaWddI6WoA+KxPb8HrVKaD5tPIzpXfaFxZJWuOa7OuRjsdQSXPQZtkCcak7wZ0zYt3DtqykKQR3SbnhEx/keBV8Z7Sx0ZFPmrIBROa+w3oQ8RSgLo+dvVDT2pEUKkXUWyq4oEKremXyfRRYhjPc911wwnEMTw==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, kernel-janitors@xxxxxxxxxxxxxxx
  • Delivery-date: Thu, 01 Sep 2022 15:35:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
The change from kcalloc() to kvmalloc() means that arg->nr_pages
might now be large enough that the "args->nr_pages << PAGE_SHIFT" can
result in an integer overflow.

Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 drivers/xen/grant-table.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 738029de3c67..e1ec725c2819 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -1047,6 +1047,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args 
*args)
        size_t size;
        int i, ret;
 
+       if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT))
+               return -ENOMEM;
+
        size = args->nr_pages << PAGE_SHIFT;
        if (args->coherent)
                args->vaddr = dma_alloc_coherent(args->dev, size,
-- 
2.35.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.