• Vlad Tsyrklevich's avatar
    vfio/pci: Fix integer overflows, bitmask check · d23ef85b
    Vlad Tsyrklevich authored
    commit 05692d70 upstream.
    
    The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
    user-supplied integers, potentially allowing memory corruption. This
    patch adds appropriate integer overflow checks, checks the range bounds
    for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
    in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
    VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
    vfio_pci_set_irqs_ioctl().
    
    Furthermore, a kzalloc is changed to a kcalloc because the use of a
    kzalloc with an integer multiplication allowed an integer overflow
    condition to be reached without this patch. kcalloc checks for overflow
    and should prevent a similar occurrence.
    Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
    Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d23ef85b
vfio_pci_intrs.c 16.1 KB