There is a pointer math bug here so if "offset" is non-zero then this
will copy memory from beyond the end of the array.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 3ec44a4f0e45..9d1637cf772e 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
if (offset + len < sizeof(struct virtio_net_config))
- memcpy(buf, &ndev->config + offset, len);
+ memcpy(buf, (u8 *)&ndev->config + offset, len);
}
static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int offset, const void *buf,
--
2.27.0
Acked-by: Eli Cohen <[email protected]>
BTW, vdpa_sim has the same bug.
-----Original Message-----
From: Dan Carpenter <[email protected]>
Sent: Saturday, August 8, 2020 12:33 PM
To: Michael S. Tsirkin <[email protected]>; Eli Cohen <[email protected]>
Cc: Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]; [email protected]
Subject: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config()
There is a pointer math bug here so if "offset" is non-zero then this will copy memory from beyond the end of the array.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 3ec44a4f0e45..9d1637cf772e 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
if (offset + len < sizeof(struct virtio_net_config))
- memcpy(buf, &ndev->config + offset, len);
+ memcpy(buf, (u8 *)&ndev->config + offset, len);
}
static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int offset, const void *buf,
--
2.27.0
On Sun, Aug 09, 2020 at 06:34:04AM +0000, Eli Cohen wrote:
> Acked-by: Eli Cohen <[email protected]>
>
> BTW, vdpa_sim has the same bug.
>
I sent a patch for that on April 6.
[PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config()
Jason acked the patch but it wasn't applied.
regards,
dan carpenter
On Mon, Aug 10, 2020 at 01:31:47PM +0300, Dan Carpenter wrote:
> On Sun, Aug 09, 2020 at 06:34:04AM +0000, Eli Cohen wrote:
> > Acked-by: Eli Cohen <[email protected]>
> >
> > BTW, vdpa_sim has the same bug.
> >
>
> I sent a patch for that on April 6.
>
> [PATCH 2/2] vdpa: Fix pointer math bug in vdpasim_get_config()
>
> Jason acked the patch but it wasn't applied.
>
> regards,
> dan carpenter
Oh sorry. I'll drop my patch and queue yours then.