Merge "haven: hh_rm_iface: Avoid integer overflow for req_payload_size calculation" (e4e6533c) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/virt/haven/hh_rm_iface.c

+4 −2

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2020-2021, The Linux Foundation. All rights reserved.
		*
		*/

		@@ -121,6 +121,8 @@ hh_rm_vm_get_hyp_res(hh_vmid_t vmid, u32 *n_entries)

		/* The response payload should contain all the resource entries */
		if (resp_payload_size < sizeof(*n_entries) \|\|
		(sizeof(*n_entries) > (U32_MAX -
		(resp_payload->n_resource_entries * sizeof(*resp_entries)))) \|\|
		resp_payload_size != sizeof(*n_entries) +
		(resp_payload->n_resource_entries * sizeof(*resp_entries))) {
		pr_err("%s: Invalid size received for GET_HYP_RESOURCES: %u\n",
		@@ -614,7 +616,7 @@ int hh_rm_console_write(hh_vmid_t vmid, const char *buf, size_t size)
		int reply_err_code = 0;
		size_t req_payload_size = sizeof(*req_payload) + size;

		if (size < 1 \|\| size > U32_MAX)
		if (size < 1 \|\| size > (U32_MAX - sizeof(*req_payload)))
		return -EINVAL;

		req_payload = kzalloc(req_payload_size, GFP_KERNEL);