On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin
wrote:> From: Andi Kleen <ak at linux.intel.com>
>
> tag_len is read as a u16 from the untrusted host. It could overflow
> in the memory allocation, which would lead to a too small buffer.
>
> Some later loops use it when extended to 32bit, so they could overflow
> the too small buffer.
>
> Make sure to do the arithmetic for the buffer size in 32bit to avoid
> wrapping.
>
> Signed-off-by: Andi Kleen <ak at linux.intel.com>
> Signed-off-by: Alexander Shishkin <alexander.shishkin at
linux.intel.com>
> Reviewed-by: Christian Schoenebeck <linux_oss at crudebyte.com>
> Cc: Eric Van Hensbergen <ericvh at gmail.com>
> Cc: Latchesar Ionkov <lucho at ionkov.net>
> Cc: Dominique Martinet <asmadeus at codewreck.org>
> Cc: v9fs-developer at lists.sourceforge.net
> ---
> net/9p/trans_virtio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index 3c27ffb781e3..a78e4d80e5ba 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev)
> err = -EINVAL;
> goto out_free_vq;
> }
> - tag = kzalloc(tag_len + 1, GFP_KERNEL);
> + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL);
> if (!tag) {
> err = -ENOMEM;
> goto out_free_vq;
Hmm are you sure there's a difference in behaviour? I thought C will just
extend the integer to int.
> --
> 2.39.0