Received: by 10.192.165.156 with SMTP id m28csp1149215imm; Wed, 11 Apr 2018 13:21:52 -0700 (PDT) X-Google-Smtp-Source: AIpwx48rwjbC8EVotZRghOoU8G9RCLsc2CUpWPdxWqKWU0kzau5ixBanZ5u4ygTdQJgoAHqHwVMt X-Received: by 10.101.67.6 with SMTP id j6mr4489852pgq.126.1523478112833; Wed, 11 Apr 2018 13:21:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523478112; cv=none; d=google.com; s=arc-20160816; b=AUjqT149kAiH0KesiMzbm4RgoZuwyaa1is5gphVZGZIvWMGkQHyFSNzwS+7SLLVW+/ XDonalP+/JIyuHUVFi+xpKpkmcUMpIRs9BWL874iyW7F6Yqdx/B9XcbXTFCE0mu8bQSz xo1iwBB1oVKf4pwxBfFSzyU41G5mAyHsylFV/SgYBOmQq+TaGeA5NcZgavuTzapJLQ8U 3Gliy5LrJpHCAzsVE4PlAKG2DPoXAZ+4ncP8dHPxqWBMoe4wFakbyQtWkRdcE6joCx1L /bgmb7wq81opGT2Jtx6+xlLTm6R2Q3poZRh7Vp+vd3DqNp0/C75G6/NrX71HdbkFIP0+ I/qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=oFk84lpKx4lEpr6UZpRE2hLr3FAR7DG9arGlCFbX5+o=; b=kX7v6FB+O/3psjxMfb9mpeHZJaCtAhuTq5HmRv0teCSwNmYKJED0EbyLdIBFUKbkrz 2Fc6ryBMe7k75KYRT34xvTUQgJoZdUSUkIYTxg6UWLWVdhiqhOC4aOxqlh7Nl3DkPMCs sxojhqb5CceLjAIpx2Qd3OfE8f7NhxBjhr5aYzM4r0bhdtKmgBr/zNqGudESH6c5mfcp iV2cMw2pzQ9+O3r3QWB+Apfcy22MlV4O6j9wUHGv+0PtDG6LEbWMYzFzvVYjXukb42qJ LFKbjnYvJ9w0ogsAOyB1LadteYXXKm6RPjFgc7XLoGhxPuH5fd2UrSdNQdN8uS5cDVN1 lYow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e11si1370908pfn.89.2018.04.11.13.21.16; Wed, 11 Apr 2018 13:21:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933268AbeDKSxZ (ORCPT + 99 others); Wed, 11 Apr 2018 14:53:25 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33724 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932401AbeDKSxV (ORCPT ); Wed, 11 Apr 2018 14:53:21 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 12B7DE70; Wed, 11 Apr 2018 18:53:20 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Jorgen Hansen , Masahiro Yamada , Michal Hocko , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 4.9 021/310] drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests Date: Wed, 11 Apr 2018 20:32:40 +0200 Message-Id: <20180411183623.204492193@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183622.305902791@linuxfoundation.org> References: <20180411183622.305902791@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter [ Upstream commit 146180c052a00172f4dc08eaade836fd02f61fb5 ] The "DIV_ROUND_UP(size, PAGE_SIZE)" operation can overflow if "size" is more than ULLONG_MAX - PAGE_SIZE. Link: http://lkml.kernel.org/r/20170322111950.GA11279@mwanda Signed-off-by: Dan Carpenter Cc: Jorgen Hansen Cc: Masahiro Yamada Cc: Michal Hocko Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/drivers/misc/vmw_vmci/vmci_queue_pair.c +++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c @@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u3 size_t pas_size; size_t vas_size; size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if); - const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + u64 num_pages; + if (size > SIZE_MAX - PAGE_SIZE) + return NULL; + num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; if (num_pages > (SIZE_MAX - queue_size) / (sizeof(*queue->kernel_if->u.g.pas) + @@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_ { struct vmci_queue *queue; size_t queue_page_size; - const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + u64 num_pages; const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if)); + if (size > SIZE_MAX - PAGE_SIZE) + return NULL; + num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; if (num_pages > (SIZE_MAX - queue_size) / sizeof(*queue->kernel_if->u.h.page)) return NULL;