Commit 05692d70 authored by Vlad Tsyrklevich's avatar Vlad Tsyrklevich Committed by Alex Williamson
Browse files

vfio/pci: Fix integer overflows, bitmask check 



The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().

Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.

Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
parent 07d9a380

drivers/vfio/pci/vfio_pci.c

+21 −12
Original line number Diff line number Diff line
@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data, 


	} else if (cmd == VFIO_DEVICE_SET_IRQS) {

		struct vfio_irq_set hdr;

		size_t size;

		u8 *data = NULL;

		int ret = 0;

		int max, ret = 0;



		minsz = offsetofend(struct vfio_irq_set, count);
@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data, 
			return -EFAULT;



		if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||

		    hdr.count >= (U32_MAX - hdr.start) ||

		    hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |

				  VFIO_IRQ_SET_ACTION_TYPE_MASK))

			return -EINVAL;



		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {

			size_t size;

			int max = vfio_pci_get_irq_count(vdev, hdr.index);

		max = vfio_pci_get_irq_count(vdev, hdr.index);

		if (hdr.start >= max || hdr.start + hdr.count > max)

			return -EINVAL;



			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)

		switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {

		case VFIO_IRQ_SET_DATA_NONE:

			size = 0;

			break;

		case VFIO_IRQ_SET_DATA_BOOL:

			size = sizeof(uint8_t);

			else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)

			break;

		case VFIO_IRQ_SET_DATA_EVENTFD:

			size = sizeof(int32_t);

			else

			break;

		default:

			return -EINVAL;

		}



			if (hdr.argsz - minsz < hdr.count * size ||

			    hdr.start >= max || hdr.start + hdr.count > max)

		if (size) {

			if (hdr.argsz - minsz < hdr.count * size)

				return -EINVAL;



			data = memdup_user((void __user *)(arg + minsz),

drivers/vfio/pci/vfio_pci_intrs.c

+1 −1
Original line number Diff line number Diff line
@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) 
	if (!is_irq_none(vdev))

		return -EINVAL;



	vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);

	vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);

	if (!vdev->ctx)

		return -ENOMEM;

CRA Git | Maintained and supported by SUSTech CRA and CCSE