www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Vlad Tsyrklevich <vlad@tsyrklevich.net>
	Wed, 12 Oct 2016 16:51:24 +0000 (18:51 +0200)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Mon, 12 Dec 2016 05:27:19 +0000 (21:27 -0800)
commit	e24a5b05d3f3cac82dce5b5cca87c23ee5cbff04
tree	ebb6d7788e3db1e08708601ab95c192587dd2656	tree
parent	ed9a229d1d94b467079b7a9773af0fb1b42ed625	commit \| diff

vfio/pci: Fix integer overflows, bitmask check

The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().

Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
(cherry picked from commit 05692d7005a364add85c6e25a6c4447ce08f913a)

Orabug: 24963753
CVE: CVE-2016-9083,CVE-2016-9084
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
Reviewed-by: Dhaval Giani <dhaval.giani@oracle.com>

drivers/vfio/pci/vfio_pci.c		diff \| blob \| history
drivers/vfio/pci/vfio_pci_intrs.c		diff \| blob \| history