Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp458503yba; Wed, 15 May 2019 04:28:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqwebq+axS2YPBUtCHi9joNrCEtnhyPArPKdjYBKE/MBQ19Xhpj3OE4TpInD2lVqkjs1n9PX X-Received: by 2002:a63:5659:: with SMTP id g25mr43919105pgm.59.1557919694766; Wed, 15 May 2019 04:28:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557919694; cv=none; d=google.com; s=arc-20160816; b=DTWGbNNWWsCjyDx7JKvmnks9O5mqJ6Ka731mWaUrSOqZAqTrhffZJGa6bUmkfKrJkO If48NvrQPu4jbMwQp0O3w1ZW9yXIdWD30YhqPV4N1uVaF2rAUgXY8Q3LnhSmwHoR9mYJ 5cFpzaYg2i1BJy0yqhmyX9aJdp0T+YFjNx+t/x7k9BABOsNJEAkqFBNectjFnCauq9cE DZJNTfszChHA3wdu2ebWwTJI/zgjmijqlBLQPwyUrSdvWgb2W8bMOXXua5E0ub6Lcav/ YznOV21cIda0yJckR2Fi1NATIVJJJ4PhmFLZwpLEQJLoPimAu1K6bLoqExuhhG42JJMD eFlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fxTOhbODm1AR2UcAuMbMQCES/TJ1tTAW8l1nUuXdV3I=; b=g89ufggiyzC0X2YLnUsZqVA8+ZJn2iVTY02q3HSWtGfcGTfBqf/6/jwsq5UlUnH0f8 mKF7XsdSCN9mx5Mu+Pr7YxogB/6ub3/jhZMnpDtvXpmxdmMuWBLeKVbVbDS0FKVRSLGc 0tbGDm32LlSeaXCeEK303AdcFN6vW4gbalqoMrW9UC6GVyotMQDNfW6HNAgIgmr2P9uP 3q7NbOe0rNLj+/F+Ti8byqsPlzHxbXVT0TqAa4UMDJ2xEZfAmZcfdZfiLBaSVHIj6fr/ bTdk6YhM4Ulp3XrhuRQuRLmy5HTOJL1QwKa9EB3Nbsrl0dcCUkTZExFazrprRM3mtXi3 RFAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HXQ0r2Ri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n16si1593169plp.130.2019.05.15.04.27.59; Wed, 15 May 2019 04:28:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HXQ0r2Ri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731998AbfEOLZ0 (ORCPT + 99 others); Wed, 15 May 2019 07:25:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:36128 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731550AbfEOLZX (ORCPT ); Wed, 15 May 2019 07:25:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3CD342089E; Wed, 15 May 2019 11:25:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557919522; bh=xSihnVmtY+9iC4up/Mcox0MkU/6kFtZPpELlpQf8rew=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HXQ0r2Rigkfkequ6pZ4ZrOszAa3eqgNZjxVQeTtuHQ4b+KHdO22TopNV89ENlGxY1 ATKplYjWJOyqXXHXSrhttxMLJbMueF1PqGiTE3IrHn6Xx8Z9yWbC+VmAtViDjxPdjn j2DKDjcmjdebZWKmWFhwjstGdL7kGChO7PeN4/sk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Andrew Morton , Timur Tabi , Mihai Caraman , Kumar Gala , Linus Torvalds Subject: [PATCH 4.19 107/113] drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl Date: Wed, 15 May 2019 12:56:38 +0200 Message-Id: <20190515090701.787093558@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090652.640988966@linuxfoundation.org> References: <20190515090652.640988966@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream. The "param.count" value is a u64 thatcomes from the user. The code later in the function assumes that param.count is at least one and if it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. Also the addition can have an integer overflow which would lead us to allocate a smaller "pages" array than required. I can't immediately tell what the possible run times implications are, but it's safest to prevent the overflow. Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") Signed-off-by: Dan Carpenter Reviewed-by: Andrew Morton Cc: Timur Tabi Cc: Mihai Caraman Cc: Kumar Gala Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/virt/fsl_hypervisor.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/virt/fsl_hypervisor.c +++ b/drivers/virt/fsl_hypervisor.c @@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i * hypervisor. */ lb_offset = param.local_vaddr & (PAGE_SIZE - 1); + if (param.count == 0 || + param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) + return -EINVAL; num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; /* Allocate the buffers we need */