[PATCH] vfio: hisi_acc_vfio_pci: fix integer overflow check in hisi_acc_vf_resume_write()

From: Dan Carpenter
Date: Tue Jul 05 2022 - 05:06:11 EST

Next message: Robin Murphy: "Re: [PATCH v2 03/14] iommu: Move bus setup to IOMMU device registration"
Previous message: Andy Shevchenko: "Re: [PATCH v2 2/2] iio: adc: Add rtq6056 support"
Next in thread: Jason Gunthorpe: "Re: [PATCH] vfio: hisi_acc_vfio_pci: fix integer overflow check in hisi_acc_vf_resume_write()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The casting on this makes the integer overflow check slightly wrong.
"len" is an unsigned long. "*pos" and "requested_length" are signed
long longs. Imagine "len" is ULONG_MAX and "*pos" is 2.
"ULONG_MAX + 2 = 1". That's an integer overflow. However, if we cast
the ULONG_MAX to long long then "-1 + 2 = 1". That's not an integer
overflow.

It's simpler if "requested_length" length is an unsigned value so we
don't have to worry about negatives.

I believe that the checks in the VFS layer and the check for "*pos < 0"
probably prevent this bug in real life, but it's safer to just be sure.

Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
It is strange that we are doing:

pos = &filp->f_pos;

instead of using the passed in value of pos. The VFS layer ensures
that the passed in value of "*pos + len" cannot overflow in
rw_verify_area() so normally this check could have been removed.

drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index ea762e28c1cc..dcc34488b0c0 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -701,7 +701,7 @@ static ssize_t hisi_acc_vf_resume_write(struct file *filp, const char __user *bu
size_t len, loff_t *pos)
{
struct hisi_acc_vf_migration_file *migf = filp->private_data;
- loff_t requested_length;
+ unsigned long requested_length;
ssize_t done = 0;
int ret;

@@ -709,8 +709,8 @@ static ssize_t hisi_acc_vf_resume_write(struct file *filp, const char __user *bu
return -ESPIPE;
pos = &filp->f_pos;

- if (*pos < 0 ||
- check_add_overflow((loff_t)len, *pos, &requested_length))
+ if (*pos < 0 || *pos > ULONG_MAX ||
+ check_add_overflow(len, (unsigned long)*pos, &requested_length))
return -EINVAL;

if (requested_length > sizeof(struct acc_vf_data))
--
2.35.1

Next message: Robin Murphy: "Re: [PATCH v2 03/14] iommu: Move bus setup to IOMMU device registration"
Previous message: Andy Shevchenko: "Re: [PATCH v2 2/2] iio: adc: Add rtq6056 support"
Next in thread: Jason Gunthorpe: "Re: [PATCH] vfio: hisi_acc_vfio_pci: fix integer overflow check in hisi_acc_vf_resume_write()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]