Dan Carpenter
2022-May-23 08:30 UTC
[PATCH] vdpasim: Off by one in vdpasim_set_group_asid()
The > comparison needs to be >= to prevent an out of bounds access of the vdpasim->iommu[] array. The vdpasim->iommu[] is allocated in vdpasim_create() and it has vdpasim->dev_attr.nas elements. Fixes: 87e5afeac247 ("vdpasim: control virtqueue support") Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> --- drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c index 50d721072beb..0f2865899647 100644 --- a/drivers/vdpa/vdpa_sim/vdpa_sim.c +++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c @@ -567,7 +567,7 @@ static int vdpasim_set_group_asid(struct vdpa_device *vdpa, unsigned int group, if (group > vdpasim->dev_attr.ngroups) return -EINVAL; - if (asid > vdpasim->dev_attr.nas) + if (asid >= vdpasim->dev_attr.nas) return -EINVAL; iommu = &vdpasim->iommu[asid]; -- 2.35.1
On Mon, May 23, 2022 at 4:31 PM Dan Carpenter <dan.carpenter at oracle.com> wrote:> > The > comparison needs to be >= to prevent an out of bounds access > of the vdpasim->iommu[] array. The vdpasim->iommu[] is allocated in > vdpasim_create() and it has vdpasim->dev_attr.nas elements. > > Fixes: 87e5afeac247 ("vdpasim: control virtqueue support") > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>Acked-by: Jason Wang <jasowang at redhat.com>> --- > drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c > index 50d721072beb..0f2865899647 100644 > --- a/drivers/vdpa/vdpa_sim/vdpa_sim.c > +++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c > @@ -567,7 +567,7 @@ static int vdpasim_set_group_asid(struct vdpa_device *vdpa, unsigned int group, > if (group > vdpasim->dev_attr.ngroups) > return -EINVAL; > > - if (asid > vdpasim->dev_attr.nas) > + if (asid >= vdpasim->dev_attr.nas) > return -EINVAL; > > iommu = &vdpasim->iommu[asid]; > -- > 2.35.1 >