Message ID | 20171013110500.6apnjjw67lnvhlrk@mwanda (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c index 92155cce926d..89d50aeafd71 100644 --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -767,6 +767,9 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu, return -EINVAL; if (!unmap->size || unmap->size & mask) return -EINVAL; + if (unmap->iova + unmap->size < unmap->iova || + unmap->size > SIZE_MAX) + return -EINVAL; WARN_ON(mask & PAGE_MASK); again:
I get a static checker warning about the potential integer overflow if we add "unmap->iova + unmap->size". The integer overflow isn't really harmful, but we may as well fix it. Also unmap->size gets truncated to size_t when we pass it to vfio_find_dma() so we could check for too high values of that as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>