| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jul 2022 17:53:53 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Yishai Hadas <yishaih@...dia.com>,
Shameer Kolothum <shameerali.kolothum.thodi@...wei.com>,
Kevin Tian <kevin.tian@...el.com>,
Alex Williamson <alex.williamson@...hat.com>,
Cornelia Huck <cohuck@...hat.com>,
Leon Romanovsky <leon@...nel.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH] vfio/mlx5: clean up overflow check
The casting on this overflow check is not done correctly, but
fortunately checks in the callers should prevent this from affecting
runtime.
The "len" variable is unsigned long while "*pos" and "requested_length"
are signed long long. Imagine "len" was ULONG_MAX and "*pos" was 2.
Then "ULONG_MAX + 2 = 1" which is an integer overflow so it will be
caught. However if we cast "len" to a long long then it becomes
"-1 + 2 = 1" which is not an integer overflow and will not be caught.
However "len" cannot actually be that high and the check for "*pos < 0"
means that this cannot happen. Still it's worth cleaning up just as a
hardenning measure and so that it's not copy and pasted to other places.
Fixes: 6fadb021266d ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
drivers/vfio/pci/mlx5/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/pci/mlx5/main.c b/drivers/vfio/pci/mlx5/main.c
index a9b63d15c5d3..c65dca59caec 100644
--- a/drivers/vfio/pci/mlx5/main.c
+++ b/drivers/vfio/pci/mlx5/main.c
@@ -271,15 +271,15 @@ static ssize_t mlx5vf_resume_write(struct file *filp, const char __user *buf,
size_t len, loff_t *pos)
{
struct mlx5_vf_migration_file *migf = filp->private_data;
- loff_t requested_length;
+ unsigned long requested_length;
ssize_t done = 0;
if (pos)
return -ESPIPE;
pos = &filp->f_pos;
- if (*pos < 0 ||
- check_add_overflow((loff_t)len, *pos, &requested_length))
+ if (*pos < 0 || *pos > ULONG_MAX ||
+ check_add_overflow(len, (unsigned long)*pos, &requested_length))
return -EINVAL;
if (requested_length > MAX_MIGRATION_SIZE)
--
2.35.1
Powered by blists - more mailing lists