From: Andi Kleen <[email protected]>
tag_len is read as a u16 from the untrusted host. It could overflow
in the memory allocation, which would lead to a too small buffer.
Some later loops use it when extended to 32bit, so they could overflow
the too small buffer.
Make sure to do the arithmetic for the buffer size in 32bit to avoid
wrapping.
Signed-off-by: Andi Kleen <[email protected]>
Signed-off-by: Alexander Shishkin <[email protected]>
Reviewed-by: Christian Schoenebeck <[email protected]>
Cc: Eric Van Hensbergen <[email protected]>
Cc: Latchesar Ionkov <[email protected]>
Cc: Dominique Martinet <[email protected]>
Cc: [email protected]
---
net/9p/trans_virtio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 3c27ffb781e3..a78e4d80e5ba 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev)
err = -EINVAL;
goto out_free_vq;
}
- tag = kzalloc(tag_len + 1, GFP_KERNEL);
+ tag = kzalloc((u32)tag_len + 1, GFP_KERNEL);
if (!tag) {
err = -ENOMEM;
goto out_free_vq;
--
2.39.0
On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin wrote:
> From: Andi Kleen <[email protected]>
>
> tag_len is read as a u16 from the untrusted host. It could overflow
> in the memory allocation, which would lead to a too small buffer.
>
> Some later loops use it when extended to 32bit, so they could overflow
> the too small buffer.
>
> Make sure to do the arithmetic for the buffer size in 32bit to avoid
> wrapping.
>
> Signed-off-by: Andi Kleen <[email protected]>
> Signed-off-by: Alexander Shishkin <[email protected]>
> Reviewed-by: Christian Schoenebeck <[email protected]>
> Cc: Eric Van Hensbergen <[email protected]>
> Cc: Latchesar Ionkov <[email protected]>
> Cc: Dominique Martinet <[email protected]>
> Cc: [email protected]
> ---
> net/9p/trans_virtio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index 3c27ffb781e3..a78e4d80e5ba 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev)
> err = -EINVAL;
> goto out_free_vq;
> }
> - tag = kzalloc(tag_len + 1, GFP_KERNEL);
> + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL);
> if (!tag) {
> err = -ENOMEM;
> goto out_free_vq;
Hmm are you sure there's a difference in behaviour? I thought C will just
extend the integer to int.
> --
> 2.39.0
"Michael S. Tsirkin" <[email protected]> writes:
> On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin wrote:
>> From: Andi Kleen <[email protected]>
>>
>> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
>> index 3c27ffb781e3..a78e4d80e5ba 100644
>> --- a/net/9p/trans_virtio.c
>> +++ b/net/9p/trans_virtio.c
>> @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev)
>> err = -EINVAL;
>> goto out_free_vq;
>> }
>> - tag = kzalloc(tag_len + 1, GFP_KERNEL);
>> + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL);
>> if (!tag) {
>> err = -ENOMEM;
>> goto out_free_vq;
>
> Hmm are you sure there's a difference in behaviour? I thought C will just
> extend the integer to int.
Actually, you're right, integer promotion would extend the original
expression to int. I'll drop this patch also.
Thanks,
--
Alex