Dan Carpenter
2012-Sep-08 09:52 UTC
[patch 1/3] xen/privcmd: check for integer overflow in ioctl
If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication could overflow and the access_ok() check wouldn't test the right size. Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> --- Only needed in linux-next. diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index 215a3c0..fdff8f9 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) return -EFAULT; /* Returns per-frame error in m.arr. */ m.err = NULL; + if (m.num > SIZE_MAX / sizeof(*m.arr)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) return -EFAULT; break; @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2))) return -EFAULT; /* Returns per-frame error code in m.err. */ + if (m.num > SIZE_MAX / sizeof(*m.err)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) return -EFAULT; break;
Andres Lagar-Cavilla
2012-Sep-09 19:49 UTC
[patch 1/3] xen/privcmd: check for integer overflow in ioctl
On Sep 8, 2012, at 5:52 AM, Dan Carpenter wrote:> If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication > could overflow and the access_ok() check wouldn't test the right size. > > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>Acked-by: Andres Lagar-Cavilla <andres at lagarcavilla.org>> --- > Only needed in linux-next. > > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c > index 215a3c0..fdff8f9 100644 > --- a/drivers/xen/privcmd.c > +++ b/drivers/xen/privcmd.c > @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) > return -EFAULT; > /* Returns per-frame error in m.arr. */ > m.err = NULL; > + if (m.num > SIZE_MAX / sizeof(*m.arr)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) > return -EFAULT; > break; > @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) > if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2))) > return -EFAULT; > /* Returns per-frame error code in m.err. */ > + if (m.num > SIZE_MAX / sizeof(*m.err)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) > return -EFAULT; > break;
David Vrabel
2012-Sep-10 10:35 UTC
[Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
On 08/09/12 10:52, Dan Carpenter wrote:> If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication > could overflow and the access_ok() check wouldn't test the right size.m.num is range checked later on so it doesn't matter that the access_ok() checks might be wrong. A bit subtle, perhaps. David> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> > --- > Only needed in linux-next. > > diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c > index 215a3c0..fdff8f9 100644 > --- a/drivers/xen/privcmd.c > +++ b/drivers/xen/privcmd.c > @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) > return -EFAULT; > /* Returns per-frame error in m.arr. */ > m.err = NULL; > + if (m.num > SIZE_MAX / sizeof(*m.arr)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) > return -EFAULT; > break; > @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) > if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2))) > return -EFAULT; > /* Returns per-frame error code in m.err. */ > + if (m.num > SIZE_MAX / sizeof(*m.err)) > + return -EINVAL; > if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) > return -EFAULT; > break; > > _______________________________________________ > Xen-devel mailing list > Xen-devel at lists.xen.org > http://lists.xen.org/xen-devel
Dan Carpenter
2012-Sep-10 11:20 UTC
[Xen-devel] [patch 1/3] xen/privcmd: check for integer overflow in ioctl
On Mon, Sep 10, 2012 at 11:35:11AM +0100, David Vrabel wrote:> On 08/09/12 10:52, Dan Carpenter wrote: > > If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication > > could overflow and the access_ok() check wouldn't test the right size. > > m.num is range checked later on so it doesn't matter that the > access_ok() checks might be wrong. A bit subtle, perhaps. >Yeah. It's too subtle for my static checker but not so subtle for a human being. Laziness on my part. Please drop this patch. regards, dan carpenter
Reasonably Related Threads
- [patch 1/3] xen/privcmd: check for integer overflow in ioctl
- [patch 3/3] xen/privcmd: remove const modifier from declaration
- [patch 3/3] xen/privcmd: remove const modifier from declaration
- [PATCH] xen: xenfs: privcmd: check put_user() return code
- [PATCH] xen: xenfs: privcmd: check put_user() return code