Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa6467f1 authored by Jorgen Hansen's avatar Jorgen Hansen Committed by Greg Kroah-Hartman
Browse files

VMCI: Guard against overflow in queue pair allocation 



The current maximum size of a queue in a queue pair is 128 MB. If
we increase that in the future, the queue pair allocation routines
may run into overflow issues. This change adds additional checks
to guard against this.

Acked-by: default avatarAndy King <acking@vmware.com>
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJorgen Hansen <jhansen@vmware.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 74b5c297

drivers/misc/vmw_vmci/vmci_driver.c

+1 −1
Original line number Diff line number Diff line
@@ -113,5 +113,5 @@ module_exit(vmci_drv_exit); 


MODULE_AUTHOR("VMware, Inc.");

MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");

MODULE_VERSION("1.1.2.0-k");

MODULE_VERSION("1.1.3.0-k");

MODULE_LICENSE("GPL v2");

drivers/misc/vmw_vmci/vmci_queue_pair.c

+22 −9
Original line number Diff line number Diff line
@@ -295,12 +295,20 @@ static void *qp_alloc_queue(u64 size, u32 flags) 
{

	u64 i;

	struct vmci_queue *queue;

	const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;

	const size_t pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);

	const size_t vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);

	const size_t queue_size =

		sizeof(*queue) + sizeof(*queue->kernel_if) +

		pas_size + vas_size;

	size_t pas_size;

	size_t vas_size;

	size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);

	const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;



	if (num_pages >

		 (SIZE_MAX - queue_size) /

		 (sizeof(*queue->kernel_if->u.g.pas) +

		  sizeof(*queue->kernel_if->u.g.vas)))

		return NULL;



	pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);

	vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);

	queue_size += pas_size + vas_size;



	queue = vmalloc(queue_size);

	if (!queue)
@@ -615,10 +623,15 @@ static int qp_memcpy_from_queue_iov(void *dest, 
static struct vmci_queue *qp_host_alloc_queue(u64 size)

{

	struct vmci_queue *queue;

	const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;

	size_t queue_page_size;

	const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;

	const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));

	const size_t queue_page_size =

	    num_pages * sizeof(*queue->kernel_if->u.h.page);



	if (num_pages > (SIZE_MAX - queue_size) /

		 sizeof(*queue->kernel_if->u.h.page))

		return NULL;



	queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);



	queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);

	if (queue) {