diff options
author | Martin Radev <martin.b.radev@gmail.com> | 2022-05-09 23:39:36 +0300 |
---|---|---|
committer | Will Deacon <will@kernel.org> | 2022-05-20 21:30:11 +0100 |
commit | 52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35 (patch) | |
tree | 31c6b7788bf4dabf81821ad3eafe55ee1672218b | |
parent | 143ffa2221d38b9405ce89552363b76cf3f6915c (diff) | |
download | kvmtool-52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35.tar.gz |
mmio: Sanitize addr and len
This patch verifies that adding the addr and length arguments
from an MMIO op do not overflow. This is necessary because the
arguments are controlled by the VM. The length may be set to
an arbitrary value by using the rep prefix.
Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
Signed-off-by: Martin Radev <martin.b.radev@gmail.com>
Link: https://lore.kernel.org/r/20220509203940.754644-3-martin.b.radev@gmail.com
[will: Drop redundant o/f check in virtio_mmio_device_specific() per Alex]
Signed-off-by: Will Deacon <will@kernel.org>
-rw-r--r-- | mmio.c | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -32,6 +32,10 @@ static struct mmio_mapping *mmio_search(struct rb_root *root, u64 addr, u64 len) { struct rb_int_node *node; + /* If len is zero or if there's an overflow, the MMIO op is invalid. */ + if (addr + len <= addr) + return NULL; + node = rb_int_search_range(root, addr, addr + len); if (node == NULL) return NULL; |