Re: [PATCH] xen/privcmd: prevent integer overflow on 32 bit systems

Fri, 15 Jul 2022 01:57:10 -0700 

On 15.07.22 11:20, Dan Carpenter wrote:


Hello Dan

> The "m.num * sizeof(*m.arr)" multiplication can have an integer overflow
> on 32 bit systems.  Probably no one really uses this software on 32 bit
> systems, but it's still worth fixing the bug if only to make the static
> checker happy.
>
> Fixes: ceb90fa0a800 ("xen/privcmd: add PRIVCMD_MMAPBATCH_V2 ioctl")
> Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
> ---
>   drivers/xen/privcmd.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
> index ad17166b0ef6..1e59b76c618e 100644
> --- a/drivers/xen/privcmd.c
> +++ b/drivers/xen/privcmd.c
> @@ -456,6 +456,8 @@ static long privcmd_ioctl_mmap_batch(
>               if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
>                       return -EFAULT;
>               /* Returns per-frame error in m.arr. */
> +             if (m.num > SIZE_MAX / sizeof(*m.arr))
> +                     return -EINVAL;
>               m.err = NULL;
>               if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
>                       return -EFAULT;
> @@ -464,6 +466,8 @@ static long privcmd_ioctl_mmap_batch(
>               if (copy_from_user(&m, udata, sizeof(struct 
> privcmd_mmapbatch_v2)))
>                       return -EFAULT;
>               /* Returns per-frame error code in m.err. */
> +             if (m.num > SIZE_MAX / sizeof(*m.arr))

Looks like here we need to check against sizeof(*m.err) which is used in 
the multiplication below.


> +                     return -EINVAL;
>               if (!access_ok(m.err, m.num * (sizeof(*m.err))))
>                       return -EFAULT;
>               break;

-- 
Regards,

Oleksandr Tyshchenko

Reply via email to