| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <262ada03-d848-4369-9c37-81edeeed2da2@stanley.mountain>
Date: Thu, 12 Sep 2024 11:49:10 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Alex Williamson <alex.williamson@...hat.com>
Cc: Jason Gunthorpe <jgg@...pe.ca>, Kevin Tian <kevin.tian@...el.com>,
Yi Liu <yi.l.liu@...el.com>, Christian Brauner <brauner@...nel.org>,
Kunwu Chan <chentao@...inos.cn>, Ankit Agrawal <ankita@...dia.com>,
kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [PATCH] vfio/pci: clean up a type in
vfio_pci_ioctl_pci_hot_reset_groups()
The "array_count" value comes from the copy_from_user() in
vfio_pci_ioctl_pci_hot_reset(). If the user passes a value larger than
INT_MAX then we'll pass a negative value to kcalloc() which triggers an
allocation failure and a stack trace.
It's better to make the type unsigned so that if (array_count > count)
returns -EINVAL instead.
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
drivers/vfio/pci/vfio_pci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 077d4a2629c8..1ab58da9f38a 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -1324,7 +1324,7 @@ static int vfio_pci_ioctl_get_pci_hot_reset_info(
static int
vfio_pci_ioctl_pci_hot_reset_groups(struct vfio_pci_core_device *vdev,
- int array_count, bool slot,
+ u32 array_count, bool slot,
struct vfio_pci_hot_reset __user *arg)
{
int32_t *group_fds;
--
2.45.2
Powered by blists - more mailing lists