Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2392517pxb; Tue, 13 Apr 2021 00:18:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy3FLySCVkQlzXcvrNXO1kZdPh2gjB9RmBCIw5jFTdw9flEem3kCGOnlPdpz0gax9QWq54B X-Received: by 2002:a17:906:9385:: with SMTP id l5mr22210578ejx.32.1618298310389; Tue, 13 Apr 2021 00:18:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618298310; cv=none; d=google.com; s=arc-20160816; b=CXvPsC8d6ZXQJVlo7/s37VtfXwF995UpiYkW8F52YrznDnglUkMUmBIyFisEcv1feP h4VfjDyzAfoE9NCHsVUPBBW6zzrW2UiBJKdqSKdwpcXwnvw/UuyMNU3sWoR+EdAXcd3c ui71aIm2bpzjEjosRoy5rRwzgkX9TVFPdDu7s7pR7q+6g0tr0imCt36xTyLbKa68O1at /XI3jrX/yLbPpP54Lbgd/FGgeg1WTWD+qnpm9+r268K0p/qWFLthsS1XGq78ZZZMG9Dq QVXZT1AwMdIU2dzUrVHkYMA6wMryp5tEToLEWw7MVEGvLUIsnBcPXiD5cAPotheAV4EU y9Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=aJek8UcXj1Ps/uPFKShS0BNMybspaKAMd3gOtIWT5Ls=; b=efaIeBFwS4ZmaDnPaPCDk+IXupYUpiENWjS6WQoQGn7pxYG7skYn3or3kjcWCAclbl ODbaVp8SE/JZwXaK+Bwn3t6qNbUhI00y7h8OhABxJwxDwxaR0igFDV6PCXVdhbwpzpfr bWI0FIgZ4S4zvbHKRzLKmSfO9+8a9EfZdd4OLS8jj75QZ3o37Ga6N8jembxSDbwvBGC2 B1zDV4djsx2IynQtfRAefN2pzUnNGmjsAgzdU5bzwfYqC6KCGoWhuoBA6ozoAP0sqXcj CUDShhjd8ybije+V56UZ8QDTmR9Nkl/97Yjjj2jWsI0c8aHzvW0bmqlpHs9F7WuRj673 WWYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ga23si9183960ejc.129.2021.04.13.00.18.06; Tue, 13 Apr 2021 00:18:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241578AbhDLVtf (ORCPT + 99 others); Mon, 12 Apr 2021 17:49:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241462AbhDLVte (ORCPT ); Mon, 12 Apr 2021 17:49:34 -0400 X-Greylist: delayed 468 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 12 Apr 2021 14:49:16 PDT Received: from pmg.in-ulm.de (pmg.in-ulm.de [IPv6:2001:1410:200:81b::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D59AC061574 for ; Mon, 12 Apr 2021 14:49:16 -0700 (PDT) Received: from pmg.in-ulm.de (localhost.localdomain [127.0.0.1]) by pmg.in-ulm.de (Proxmox) with ESMTP id E8C0521904 for ; Mon, 12 Apr 2021 23:41:24 +0200 (CEST) Received: from mail.in-ulm.de (unknown [217.10.8.10]) by pmg.in-ulm.de (Proxmox) with SMTP for ; Mon, 12 Apr 2021 23:41:24 +0200 (CEST) Received: (qmail 343850 invoked by uid 10524); 12 Apr 2021 21:41:24 -0000 Date: Mon, 12 Apr 2021 23:41:24 +0200 From: "Christian A. Ehrhardt" To: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Alex Williamson , Alexey Kardashevskiy , David Gibson , Michael Ellerman , Cornelia Huck Subject: [PATCH] vfio/pci: Add missing range check in vfio_pci_mmap Message-ID: <20210412214124.GA241759@lisa.in-ulm.de> References: <20210410230013.GC416417@lisa.in-ulm.de> <20210412140238.184e141f@omen> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210412140238.184e141f@omen> User-Agent: Mutt/1.5.20 (2009-06-14) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When mmaping an extra device region verify that the region index derived from the mmap offset is valid. Fixes: a15b1883fee1 ("vfio_pci: Allow mapping extra regions") Cc: stable@vger.kernel.org Signed-off-by: Christian A. Ehrhardt --- drivers/vfio/pci/vfio_pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index 65e7e6b44578..5023e23db3bc 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -1656,6 +1656,8 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) index = vma->vm_pgoff >> (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT); + if (index >= VFIO_PCI_NUM_REGIONS + vdev->num_regions) + return -EINVAL; if (vma->vm_end < vma->vm_start) return -EINVAL; if ((vma->vm_flags & VM_SHARED) == 0) @@ -1664,7 +1666,7 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma) int regnum = index - VFIO_PCI_NUM_REGIONS; struct vfio_pci_region *region = vdev->region + regnum; - if (region && region->ops && region->ops->mmap && + if (region->ops && region->ops->mmap && (region->flags & VFIO_REGION_INFO_FLAG_MMAP)) return region->ops->mmap(vdev, region, vma); return -EINVAL; -- 2.25.1