Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ec1287e5 authored by Alex Williamson's avatar Alex Williamson
Browse files

vfio-pci: Fix buffer overfill 



A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count.  Fix it.

Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
parent 406089d0

drivers/vfio/pci/vfio_pci_rdwr.c

+2 −2
Original line number Diff line number Diff line
@@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf, 
			filled = 1;

		} else {

			/* Drop writes, fill reads with FF */

			filled = min((size_t)(x_end - pos), count);

			if (!iswrite) {

				char val = 0xFF;

				size_t i;



				for (i = 0; i < x_end - pos; i++) {

				for (i = 0; i < filled; i++) {

					if (put_user(val, buf + i))

						goto out;

				}

			}



			filled = x_end - pos;

		}



		count -= filled;