[PATCH v1 3/6] virtio 9p: Fix an overflow
From: Alexander Shishkin
Date: Thu Jan 19 2023 - 13:17:04 EST
From: Andi Kleen <ak@xxxxxxxxxxxxxxx>
tag_len is read as a u16 from the untrusted host. It could overflow
in the memory allocation, which would lead to a too small buffer.
Some later loops use it when extended to 32bit, so they could overflow
the too small buffer.
Make sure to do the arithmetic for the buffer size in 32bit to avoid
wrapping.
Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
Signed-off-by: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>
Reviewed-by: Christian Schoenebeck <linux_oss@xxxxxxxxxxxxx>
Cc: Eric Van Hensbergen <ericvh@xxxxxxxxx>
Cc: Latchesar Ionkov <lucho@xxxxxxxxxx>
Cc: Dominique Martinet <asmadeus@xxxxxxxxxxxxx>
Cc: v9fs-developer@xxxxxxxxxxxxxxxxxxxxx
---
net/9p/trans_virtio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 3c27ffb781e3..a78e4d80e5ba 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev)
err = -EINVAL;
goto out_free_vq;
}
- tag = kzalloc(tag_len + 1, GFP_KERNEL);
+ tag = kzalloc((u32)tag_len + 1, GFP_KERNEL);
if (!tag) {
err = -ENOMEM;
goto out_free_vq;
--
2.39.0