| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Mar 2015 08:19:11 -0800
From: jhansen@...are.com
To: linux-kernel@...r.kernel.org,
virtualization@...ts.linux-foundation.org
Cc: gregkh@...uxfoundation.org, pv-drivers@...are.com,
keescook@...gle.com, dan.carpenter@...cle.com,
Jorgen Hansen <jhansen@...are.com>
Subject: [PATCH] VMCI: Guard against overflow in queue pair allocation
From: Jorgen Hansen <jhansen@...are.com>
The current maximum size of a queue in a queue pair is 128 MB. If
we increase that in the future, the queue pair allocation routines
may run into overflow issues. This change adds additional checks
to guard against this.
Acked-by: Andy King <acking@...are.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: Jorgen Hansen <jhansen@...are.com>
---
drivers/misc/vmw_vmci/vmci_driver.c | 2 +-
drivers/misc/vmw_vmci/vmci_queue_pair.c | 31 ++++++++++++++++++++++---------
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/drivers/misc/vmw_vmci/vmci_driver.c b/drivers/misc/vmw_vmci/vmci_driver.c
index cf264a1..b823f9a 100644
--- a/drivers/misc/vmw_vmci/vmci_driver.c
+++ b/drivers/misc/vmw_vmci/vmci_driver.c
@@ -113,5 +113,5 @@ module_exit(vmci_drv_exit);
MODULE_AUTHOR("VMware, Inc.");
MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");
-MODULE_VERSION("1.1.2.0-k");
+MODULE_VERSION("1.1.3.0-k");
MODULE_LICENSE("GPL v2");
diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
index 35f19a6..6d5144c 100644
--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
+++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
@@ -295,12 +295,20 @@ static void *qp_alloc_queue(u64 size, u32 flags)
{
u64 i;
struct vmci_queue *queue;
- const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
- const size_t pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
- const size_t vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
- const size_t queue_size =
- sizeof(*queue) + sizeof(*queue->kernel_if) +
- pas_size + vas_size;
+ size_t pas_size;
+ size_t vas_size;
+ size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
+ const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+
+ if (num_pages >
+ (SIZE_MAX - queue_size) /
+ (sizeof(*queue->kernel_if->u.g.pas) +
+ sizeof(*queue->kernel_if->u.g.vas)))
+ return NULL;
+
+ pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
+ vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
+ queue_size += pas_size + vas_size;
queue = vmalloc(queue_size);
if (!queue)
@@ -615,10 +623,15 @@ static int qp_memcpy_from_queue_iov(void *dest,
static struct vmci_queue *qp_host_alloc_queue(u64 size)
{
struct vmci_queue *queue;
- const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+ size_t queue_page_size;
+ const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
- const size_t queue_page_size =
- num_pages * sizeof(*queue->kernel_if->u.h.page);
+
+ if (num_pages > (SIZE_MAX - queue_size) /
+ sizeof(*queue->kernel_if->u.h.page))
+ return NULL;
+
+ queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
if (queue) {
--
1.7.0
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists