Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:52 +0200
commitbc4210485122fecae16a56fa2819095df1e5f956 (patch)
tree52c40a0206c992a4d6d5236b8a549c3aae7c4600
parent71355bb36ecbe5c275dda911c12248d771b70e0a (diff)
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
-rw-r--r--patches.kernel.org/5.1.3-035-drivers-virt-fsl_hypervisor.c-prevent-integer-o.patch52
-rw-r--r--series.conf1
2 files changed, 53 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-035-drivers-virt-fsl_hypervisor.c-prevent-integer-o.patch b/patches.kernel.org/5.1.3-035-drivers-virt-fsl_hypervisor.c-prevent-integer-o.patch
new file mode 100644
index 0000000000..381a88aa12
--- /dev/null
+++ b/patches.kernel.org/5.1.3-035-drivers-virt-fsl_hypervisor.c-prevent-integer-o.patch
@@ -0,0 +1,52 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:03 -0700
+Subject: [PATCH] drivers/virt/fsl_hypervisor.c: prevent integer overflow in
+ ioctl
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: 6a024330650e24556b8a18cc654ad00cfecf6c6c
+
+commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.
+
+The "param.count" value is a u64 thatcomes from the user. The code
+later in the function assumes that param.count is at least one and if
+it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
+
+Also the addition can have an integer overflow which would lead us to
+allocate a smaller "pages" array than required. I can't immediately
+tell what the possible run times implications are, but it's safest to
+prevent the overflow.
+
+Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/virt/fsl_hypervisor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
+index 7b7f8e9a2801..1bbd910d4ddb 100644
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ * hypervisor.
+ */
+ lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
++ if (param.count == 0 ||
++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
++ return -EINVAL;
+ num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ /* Allocate the buffers we need */
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 8bcb85b709..54a51031a1 100644
--- a/series.conf
+++ b/series.conf
@@ -120,6 +120,7 @@
patches.kernel.org/5.1.3-032-flow_dissector-disable-preemption-around-BPF-ca.patch
patches.kernel.org/5.1.3-033-isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch
patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch
+ patches.kernel.org/5.1.3-035-drivers-virt-fsl_hypervisor.c-prevent-integer-o.patch
########################################################
# Build fixes that apply to the vanilla kernel too.