Начало Каталог Помощ
Вход
GfA
/
linux_kernel
5
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
Преглед на файлове

VMCI: Guard against overflow in queue pair allocation

The current maximum size of a queue in a queue pair is 128 MB. If
we increase that in the future, the queue pair allocation routines
may run into overflow issues. This change adds additional checks
to guard against this.

Acked-by: Andy King <acking@vmware.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jorgen Hansen преди 10 години
родител
74b5c297f5
ревизия
aa6467f190
променени са 2 файла, в които са добавени 23 реда и са изтрити 10 реда
Обединен изглед Покажи статистика за разликите
  1. 1 1
      drivers/misc/vmw_vmci/vmci_driver.c
  2. 22 9
      drivers/misc/vmw_vmci/vmci_queue_pair.c

+ 1 - 1
drivers/misc/vmw_vmci/vmci_driver.c
Целия файл 

@@ -113,5 +113,5 @@ module_exit(vmci_drv_exit);
 
 
 
 MODULE_AUTHOR("VMware, Inc.");
 
 MODULE_AUTHOR("VMware, Inc.");
 
 MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");
 
 MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");
 
-MODULE_VERSION("1.1.2.0-k");
 
+MODULE_VERSION("1.1.3.0-k");
 
 MODULE_LICENSE("GPL v2");
 
 MODULE_LICENSE("GPL v2");

+ 22 - 9
drivers/misc/vmw_vmci/vmci_queue_pair.c
Целия файл 

@@ -295,12 +295,20 @@ static void *qp_alloc_queue(u64 size, u32 flags)
 
 {
 
 {
 
 	u64 i;
 
 	u64 i;
 
 	struct vmci_queue *queue;
 
 	struct vmci_queue *queue;
 
-	const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
 
-	const size_t pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
 
-	const size_t vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
 
-	const size_t queue_size =
 
-		sizeof(*queue) + sizeof(*queue->kernel_if) +
 
-		pas_size + vas_size;
 
+	size_t pas_size;
 
+	size_t vas_size;
 
+	size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
 
+	const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
 
+
 
+	if (num_pages >
 
+		 (SIZE_MAX - queue_size) /
 
+		 (sizeof(*queue->kernel_if->u.g.pas) +
 
+		  sizeof(*queue->kernel_if->u.g.vas)))
 
+		return NULL;
 
+
 
+	pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
 
+	vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
 
+	queue_size += pas_size + vas_size;
 
 
 
 	queue = vmalloc(queue_size);
 
 	queue = vmalloc(queue_size);
 
 	if (!queue)
 
 	if (!queue)
 
@@ -615,10 +623,15 @@ static int qp_memcpy_from_queue_iov(void *dest,
 
 static struct vmci_queue *qp_host_alloc_queue(u64 size)
 
 static struct vmci_queue *qp_host_alloc_queue(u64 size)
 
 {
 
 {
 
 	struct vmci_queue *queue;
 
 	struct vmci_queue *queue;
 
-	const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
 
+	size_t queue_page_size;
 
+	const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
 
 	const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
 
 	const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
 
-	const size_t queue_page_size =
 
-	    num_pages * sizeof(*queue->kernel_if->u.h.page);
 
+
 
+	if (num_pages > (SIZE_MAX - queue_size) /
 
+		 sizeof(*queue->kernel_if->u.h.page))
 
+		return NULL;
 
+
 
+	queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
 
 
 
 	queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
 
 	queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
 
 	if (queue) {
 
 	if (queue) {