| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220705180649.GI23621@ziepe.ca>
Date: Tue, 5 Jul 2022 15:06:49 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Longfang Liu <liulongfang@...wei.com>,
Yishai Hadas <yishaih@...dia.com>,
Shameer Kolothum <shameerali.kolothum.thodi@...wei.com>,
Kevin Tian <kevin.tian@...el.com>,
Alex Williamson <alex.williamson@...hat.com>,
Cornelia Huck <cohuck@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] vfio: hisi_acc_vfio_pci: fix integer overflow check in
hisi_acc_vf_resume_write()
On Tue, Jul 05, 2022 at 12:05:28PM +0300, Dan Carpenter wrote:
> The casting on this makes the integer overflow check slightly wrong.
> "len" is an unsigned long. "*pos" and "requested_length" are signed
> long longs. Imagine "len" is ULONG_MAX and "*pos" is 2.
> "ULONG_MAX + 2 = 1".
I wonder if this can happen, len is a kernel controlled value bounded
by a memory allocation..
> Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
This code was copy and pasted from drivers/vfio/pci/mlx5/main.c, so it
should be fixed too
> It is strange that we are doing:
>
> pos = &filp->f_pos;
>
> instead of using the passed in value of pos.
IIRC the way we have the struct file configured the pos argument is
NULL.
Jason
Powered by blists - more mailing lists