lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Aug 2020 06:34:04 +0000 From: Eli Cohen <elic@...dia.com> To: Dan Carpenter <dan.carpenter@...cle.com>, "Michael S. Tsirkin" <mst@...hat.com>, Eli Cohen <eli@...lanox.com> CC: Jason Wang <jasowang@...hat.com>, Parav Pandit <parav@...lanox.com>, "virtualization@...ts.linux-foundation.org" <virtualization@...ts.linux-foundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org> Subject: RE: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config() Acked-by: Eli Cohen <elic@...dia.com> BTW, vdpa_sim has the same bug. -----Original Message----- From: Dan Carpenter <dan.carpenter@...cle.com> Sent: Saturday, August 8, 2020 12:33 PM To: Michael S. Tsirkin <mst@...hat.com>; Eli Cohen <eli@...lanox.com> Cc: Jason Wang <jasowang@...hat.com>; Parav Pandit <parav@...lanox.com>; virtualization@...ts.linux-foundation.org; linux-kernel@...r.kernel.org; kernel-janitors@...r.kernel.org Subject: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config() There is a pointer math bug here so if "offset" is non-zero then this will copy memory from beyond the end of the array. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> --- drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c index 3ec44a4f0e45..9d1637cf772e 100644 --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c @@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *vdev, unsigned int offset, struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev); if (offset + len < sizeof(struct virtio_net_config)) - memcpy(buf, &ndev->config + offset, len); + memcpy(buf, (u8 *)&ndev->config + offset, len); } static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int offset, const void *buf, -- 2.27.0
Powered by blists - more mailing lists