On 08/09/12 10:52, Dan Carpenter wrote:
> If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication
> could overflow and the access_ok() check wouldn't test the right size.
m.num is range checked later on so it doesn't matter that the
access_ok() checks might be wrong. A bit subtle, perhaps.
David
> Signed-off-by: Dan Carpenter
> ---
> Only needed in linux-next.
>
> diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> index 215a3c0..fdff8f9 100644
> --- a/drivers/xen/privcmd.c
> +++ b/drivers/xen/privcmd.c
> @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata,
> int version)
> return -EFAULT;
> /* Returns per-frame error in m.arr. */
> m.err = NULL;
> + if (m.num > SIZE_MAX / sizeof(*m.arr))
> + return -EINVAL;
> if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr)))
> return -EFAULT;
> break;
> @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata,
> int version)
> if (copy_from_user(&m, udata, sizeof(struct
> privcmd_mmapbatch_v2)))
> return -EFAULT;
> /* Returns per-frame error code in m.err. */
> + if (m.num > SIZE_MAX / sizeof(*m.err))
> + return -EINVAL;
> if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err
> return -EFAULT;
> break;
>
> ___
> Xen-devel mailing list
> xen-de...@lists.xen.org
> http://lists.xen.org/xen-devel
___
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
