coalesced_mmio_write() is not check the len value, if len is negative,
memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause
stack buffer overflow.
Signed-off-by: Zhitong Wang <[email protected]>
---
virt/kvm/coalesced_mmio.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index c0dcfb7..eb4601c 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -61,6 +61,10 @@ static int coalesced_mmio_write(struct kvm_io_device *this,
{
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
+
+ if (len < 0)
+ return -EOPNOTSUPP;
+
if (!coalesced_mmio_in_range(dev, addr, len))
return -EOPNOTSUPP;
--
1.6.5.3
Does len need to be int? Perhaps it should be unsigned int?
Stefan
On 04/12/2010 04:57 AM, [email protected] wrote:
> coalesced_mmio_write() is not check the len value, if len is negative,
> memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause
> stack buffer overflow.
>
>
How can len be negative? It can only be between 1 and 8.
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.