mmio: Sanitize addr and len

This patch verifies that adding the addr and length arguments from an MMIO op do not overflow. This is necessary because the arguments are controlled by the VM. The length may be set to an arbitrary value by using the rep prefix. Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com> Signed-off-by: Martin Radev <martin.b.radev@gmail.com> Link: https://lore.kernel.org/r/20220509203940.754644-3-martin.b.radev@gmail.com [will: Drop redundant o/f check in virtio_mmio_device_specific() per Alex] Signed-off-by: Will Deacon <will@kernel.org>
author: Martin Radev <martin.b.radev@gmail.com> 2022-05-09 23:39:36 +0300
committer: Will Deacon <will@kernel.org> 2022-05-20 21:30:11 +0100
commit: 52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35 (patch)
tree: 31c6b7788bf4dabf81821ad3eafe55ee1672218b
parent: 143ffa2221d38b9405ce89552363b76cf3f6915c (diff)
download: kvmtool-52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/mmio.c b/mmio.c
index a6dd3aa3..5a114e99 100644
--- a/mmio.c
+++ b/mmio.c
@@ -32,6 +32,10 @@ static struct mmio_mapping *mmio_search(struct rb_root *root, u64 addr, u64 len)
 {
 	struct rb_int_node *node;
 
+	/* If len is zero or if there's an overflow, the MMIO op is invalid. */
+	if (addr + len <= addr)
+		return NULL;
+
 	node = rb_int_search_range(root, addr, addr + len);
 	if (node == NULL)
 		return NULL;
author	Martin Radev <martin.b.radev@gmail.com>	2022-05-09 23:39:36 +0300
committer	Will Deacon <will@kernel.org>	2022-05-20 21:30:11 +0100
commit	52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35 (patch)
tree	31c6b7788bf4dabf81821ad3eafe55ee1672218b
parent	143ffa2221d38b9405ce89552363b76cf3f6915c (diff)
download	kvmtool-52d4ee7cb52071f6ca5cdd0c9e504c4f0fefcc35.tar.gz