Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5253843imu; Tue, 15 Jan 2019 14:09:21 -0800 (PST) X-Google-Smtp-Source: ALg8bN4faFbcv6+jvtJrVs7VZZEcZ0LW3EFuT2oSC7AcAn3chNK/w8BQi/i5/MHfZBQPxkoecUrb X-Received: by 2002:a17:902:4124:: with SMTP id e33mr6341431pld.236.1547590161667; Tue, 15 Jan 2019 14:09:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547590161; cv=none; d=google.com; s=arc-20160816; b=J6MMHMpcoU7yxgUTpaB/afG2ErHse+onQf8dhiy6q9Q2QXYD48eIl0+Tp7sZiYWnF7 6eO7TA/omtfhO7kdEH3JWDk8+RCHQc3ikohFIxuoNiQTeAGBz0H5LxFOWBCUxJUk7zm3 7xmE/YOtr4PhiQYSoXzIhGkRY3C4/n+YX/Hrwww+nQucmlXso5uMp3+NXKxboQabzKLL yuSolvCtIfESmlH+DcYQMMzob+FM4uYXu57tsoI8qq1l0cGxA6QnTBT5VtWLVLATVDpf pu7lt3iwabWz7gfVJfuRwJo3frJE+iNipxnufSvaasLF29lCQWBQfYDrFgg3M/F2lJNF aJ6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LORIH2avbRpC47CcJS2BHr3jROezRhsC5n083c+Ey3U=; b=GaoWy8mGgMMhX+2KSnoMsZPj2GksQFdASXoWs2su7B3/3Nh4uKmJIuwGPuu7tZzWmp SFBra+6vRfA5syERKvNfLPUetiKsdWk86CCXxDCAOmGQLlrV0a8EJ+IPVLEA6dbdj1cc 2Bn7V569fE0Jgu2laOsXiX++RyN6xJIkQrzVLRbmtTee3/+IRO8cm4VZCt+7aQeCTXLn d/7FgDwnSYbP8Ok/+RCMZoInyFTW1Ad6A14NeqIwFdV68c2Yl2ElcahXC6RPjoQjO3ob WIblN9XVGU2Z49tL4p6RiPZvLC6oHJ65iuTrVTt8W3TalNkLtwpgsJGjzQ8MUSbo4rlC jzqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WDjIQaJ8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k190si4045794pgd.64.2019.01.15.14.09.02; Tue, 15 Jan 2019 14:09:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WDjIQaJ8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387913AbfAOQqG (ORCPT + 99 others); Tue, 15 Jan 2019 11:46:06 -0500 Received: from mail.kernel.org ([198.145.29.99]:35742 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387899AbfAOQqC (ORCPT ); Tue, 15 Jan 2019 11:46:02 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C08E520675; Tue, 15 Jan 2019 16:46:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547570762; bh=mq03ULgkvFS67zK5ltqYOhAzfaHfXFIXq+gr+Nf3pEw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WDjIQaJ8kZLFtUJsGPrG9OjfB9Q4NJCA9dLwnJq0ErdSZPHFLk3VHlQTC1WivEVwS rzpb1ryrkbjGmhzTw+LMmCF+Xl6rJK9SShbz54udSvsDAuWO0cxQhYsQmYb1ahSjJm TELBh2hlzjxZ+AKWw/n3IpYlnNIPyi1Jy4jowWjo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pei Zhang , Dan Carpenter , Peter Xu , Cornelia Huck , Alex Williamson Subject: [PATCH 4.20 36/57] vfio/type1: Fix unmap overflow off-by-one Date: Tue, 15 Jan 2019 17:36:17 +0100 Message-Id: <20190115154912.798297882@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190115154910.734892368@linuxfoundation.org> References: <20190115154910.734892368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alex Williamson commit 58fec830fc19208354895d9832785505046d6c01 upstream. The below referenced commit adds a test for integer overflow, but in doing so prevents the unmap ioctl from ever including the last page of the address space. Subtract one to compare to the last address of the unmap to avoid the overflow and wrap-around. Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291 Cc: stable@vger.kernel.org # v4.15+ Reported-by: Pei Zhang Debugged-by: Peter Xu Reviewed-by: Dan Carpenter Reviewed-by: Peter Xu Tested-by: Peter Xu Reviewed-by: Cornelia Huck Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman --- drivers/vfio/vfio_iommu_type1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio return -EINVAL; if (!unmap->size || unmap->size & mask) return -EINVAL; - if (unmap->iova + unmap->size < unmap->iova || + if (unmap->iova + unmap->size - 1 < unmap->iova || unmap->size > SIZE_MAX) return -EINVAL;