Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2329990imm; Fri, 7 Sep 2018 14:47:14 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaYnZmZGIICuWEaqPATgnCfitEraUMG4pbHXXOmLZp5GoMwsP5Wck96GjcMNwiF/aDXklmp X-Received: by 2002:a63:986:: with SMTP id 128-v6mr10613652pgj.153.1536356834875; Fri, 07 Sep 2018 14:47:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536356834; cv=none; d=google.com; s=arc-20160816; b=AUsX1lOYYWPX95eRFZr/cGb/aDkcVveyoRB6hucY9X7pM/+iMrbQ+LfvFJ6XEjm93b eBO4q7I8DTgrX9/2rypr4kc7PF4dXr383YtJmmu79XeF4YzMMtaYNrdFqEdNofc/m4TY Uh6MdcdyQDcMvxncdH9iN0veNAO0KJZBi9ONLyb+4c4/5EA6mb+kv1ygdZbeoC+hUfXc O2sdy3cXXs9IRI4CMiz569BRPsTs9DPQ//ams7aq99DC9dklfPF8AfuBRrEWP99OY+qr nF0s/q+9YjBU8HT/i24MP4k7viXxWEu7l0XD/8ZKNyyi9QhhyDw+SQtjLMUX88ByKUoA BisA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from; bh=118hZq9a+5KkNgWCxyLCyIS4frGIdXar+Avz0UiJ3aQ=; b=PNxLul3JD6ipu7ruUJ+amPO943oxBJpfdFpljKSbACbP5exHvBT2mEsng31EMzU05P e172gW0QpBIY7zmZ9jbdkSyJUfNMfcSlyB2ZWXxVFFNR/kTz/8rnUwNpntt8lAmvupi9 4TT61FbMXGnwqT71naFj8PLhkiLSsD6dtIHdN9yjru1giMAyiAE8K/csZGIw+qXHm6Sz gTT0JHA2kHWNfEcCbh1qUJ+F77x65aSVa4/uMTQci2azGPEjBQLX8NnZ0MpEvM67TbyS KH+AjLdhkmIT8Vukua+BfpXeP0QOqOY/4HM0NsIh4H2AeuwcDWcVHl9gZN0GPgTTCDio 6BGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d9-v6si9907147plj.418.2018.09.07.14.46.59; Fri, 07 Sep 2018 14:47:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731049AbeIHC2B (ORCPT + 99 others); Fri, 7 Sep 2018 22:28:01 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:57994 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728110AbeIHC2A (ORCPT ); Fri, 7 Sep 2018 22:28:00 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A90D8F36; Fri, 7 Sep 2018 21:45:04 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yiwen Jiang , Dan Carpenter , Jun Piao , Dominique Martinet Subject: [PATCH 3.18 04/29] 9p/virtio: fix off-by-one error in sg list bounds check Date: Fri, 7 Sep 2018 23:10:25 +0200 Message-Id: <20180907210909.893770166@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180907210909.523240901@linuxfoundation.org> References: <20180907210909.523240901@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: jiangyiwen commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream. Because the value of limit is VIRTQUEUE_NUM, if index is equal to limit, it will cause sg array out of bounds, so correct the judgement of BUG_ON. Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com Signed-off-by: Yiwen Jiang Reported-By: Dan Carpenter Acked-by: Jun Piao Cc: stable@vger.kernel.org Signed-off-by: Dominique Martinet Signed-off-by: Greg Kroah-Hartman --- net/9p/trans_virtio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -192,7 +192,7 @@ static int pack_sg_list(struct scatterli s = rest_of_page(data); if (s > count) s = count; - BUG_ON(index > limit); + BUG_ON(index >= limit); /* Make sure we don't terminate early. */ sg_unmark_end(&sg[index]); sg_set_buf(&sg[index++], data, s); @@ -238,6 +238,7 @@ pack_sg_list_p(struct scatterlist *sg, i s = rest_of_page(data); if (s > count) s = count; + BUG_ON(index >= limit); /* Make sure we don't terminate early. */ sg_unmark_end(&sg[index]); sg_set_page(&sg[index++], pdata[i++], s, data_off);