Re: [PATCH] xen: fix potential integer overflow in queue_reply

From: David Vrabel
Date: Mon Jan 18 2016 - 11:38:12 EST

Next message: Joe Lawrence: "Re: [patch 00/14] x86/irq: Plug various vector cleanup races"
Previous message: Ganapatrao Kulkarni: "[PATCH v9 4/6] arm64, dt, thunderx: Add initial dts for Cavium Thunderx in 2 node topology."
In reply to: Insu Yun: "[PATCH] xen: fix potential integer overflow in queue_reply"
Next in thread: David Vrabel: "Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 18/01/16 16:29, Insu Yun wrote:
> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
> it can overflow integer range and allocates small size of heap.
> After that, memcpy will overflow the allocated heap.
> Therefore, it needs to check the size of given length.
[...]
> --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
> +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
> @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len)
> {
> struct read_buffer *rb;
>
> - if (len == 0)
> + if (len == 0 || len >= UINT_MAX - sizeof(*rb))
^^^^^^^^^^^^^^^^^^^^^^
Please check

len > XENSTORE_PAYLOAD_MAX

instead.

David

Next message: Joe Lawrence: "Re: [patch 00/14] x86/irq: Plug various vector cleanup races"
Previous message: Ganapatrao Kulkarni: "[PATCH v9 4/6] arm64, dt, thunderx: Add initial dts for Cavium Thunderx in 2 node topology."
In reply to: Insu Yun: "[PATCH] xen: fix potential integer overflow in queue_reply"
Next in thread: David Vrabel: "Re: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]